Australian Cyber Security Magazine, ISSUE 7, 2019 by MySecurity Marketplace

THE MAGAZINE FOR AUSTRALIAN INFORMATION SECURITY PROFESSIONALS | www.australiancybersecuritymagazine.com.au @AustCyberSecMag ISSUE #7 2019

Women online: Australiaâ&#x20AC;&#x2122;s e-Safety Commissioner Waking up to the benefits of diversity Teaching cyber hygiene in schools My journey, from student to cyber security graduate Cybersecurity journey empowered by diversity BOOK GIVEAWAY Troll Hunting

OT Cybersecurity must improve in 2019 The Encryption Act Monitoring threat actors Biometric data and potential for misuse Cyber risk management in finance Penetrating real-time threat behaviour

#BalanceforBetter ALL WOMEN SPECIAL EDITION

Driving growth in Australia’s cyber security sector

OFFICIAL MEDIA PARTNERS MySecurity Media are Official Media Partners to the Australian AustCyber Trade Mission for the RSA Conference, San Francisco #OzCyberinUSA2019

From ideation to export, and everything in between, AustCyber works with: • Startups

• Government agencies

• Scale-ups

• Research organisations

• Corporates

• Educational institutions.

• Venture capital funds

AustCyber acts as a connector and a multiplier, assisting Australian cyber security organisations to successfully access: Funding across all stages of the commercialisation cycle Profitable global supply chains and growth markets.

The first step is to connect with us: www.austcyber.com

info@austcyber.com

+612 9239 3250

@AustCyber

FOCUS ON SECURITY THE 2019 SECURITY EXHIBITION & CONFERENCE:

WHERE YOUR SECURITY NEEDS ARE BROUGHT INTO FOCUS

24-26 JULY 2019 ICC SYDNEY DARLING HARBOUR

Gain insight into the newest innovations that are reinventing the industry. AI, biometrics and tech inventions are moving at lightning speed and smart technology is inspiring new discoveries every day.

EXHIBITION IS FREE REGISTER NOW

Industry leaders, new visionaries and expert users are all joining together to exchange ideas and developments. The Security Exhibition + Conference is Australiaâ&#x20AC;&#x2122;s largest and most established commercial security event that cultivates innovation, solves problems and leads an industry to be the best in the world.

#security2019

securityexpo.com.au

LD RS SO EA CE Y N T3 RE AS FE L N HE CO T T U O

THE ASIAL SECURITY 2019 CONFERENCE

BUILDING RESILIENCE TO COMBAT CHANGING SECURITY THREATS The ASIAL Security Conference hosts a compelling program of renowned local and international experts, academics and visionaries addressing how to strengthen your capabilities, managing risk, a digital future, emerging technologies and innovations, integration and more. It is your annual opportunity to receive fundamental updates from the organisations shaping today’s security landscape in a program carefully curated by the industry’s peak body. The format and content of the program reflects critical industry updates and challenges on the first day, followed by your choice of streamed executive briefings on the second and third day of the program. Bring your security needs into focus, stay up to date with the latest developments and gain a competitive advantage with proven strategies to tackle a rapidly changing industry.

SECURE YOUR EARLY BIRD TICKET & ENTER THE DRAW

TO WIN A PENTHOUSE HOTEL SUITE DURING THE EVENT!

HEADLINE SPEAKERS

HUGH RIMINTON

NICK ALDWORTH

DR TONY ZALEWSKI

JOHN LOMAX

Author, Television News Presenter, Radio Broadcaster. Conference Moderator

MPA DipPR, National Coordinator Protect & Prepare, Counter Terrorism Policing National HQ, New Scotland Yard

Director, Global Public Safety Pty Ltd

General Manager Asset Protection, The Star

KELLY SUNDBERG

SHARA EVANS

NICK DE BONT

DR LISA WARREN

Associate Professor, Mount Royal University (Canada)

Futurist, Market Clarity

Chief Security Officer, Thales Australia

Clinical/Forensic Psychologist, Clinical Director, Code Black Threat Management

SECURITYEXPO.COM.AU FOR FULL SESSION DETAILS

BOOK NOW TO SECURE YOUR PLACE and take advantage of the early bird discount.

EXHIBITION HOURS

CONFERENCE HOURS

Wed 24 July: 9:30am – 5.00pm

Wed 24 July: 9:00am – 5.00pm

Thurs 25 July: 9:30am – 5.00pm

Thurs 25 July: 9:00am – 2:30pm

Fri 26 July: 9:30am – 3:30pm

Fri 26 July: 9:00am – 2:30pm

Lead Industry Partner

Contents

Editor's Desk 5 Write for us! 6 Guest Editor Dr Jodie Siganto Director & Executive Editor Chris Cubbage Editor Tony Campbell Director David Matrai

Waking up to the benefits of diversity

Art Director Stefan Babij

MARKETING AND ADVERTISING T | +61 8 6465 4732 promoteme@australiancybersecuritymagazine.com.au

Why cyber security is a great career choice for women

Copyright © 2019 www.mysecuritymedia.com promoteme@mysecuritymedia.com All Material appearing in Australian Security Magazine is copyright. Reproduction in whole or part is not permitted without permission in writing from the publisher. The views of contributors are not necessarily those of the publisher. Professional advice should be sought before applying the information to particular circumstances.

Schools are the soft underbelly of cyber and needs more focus

CONNECT WITH US www.facebook.com/apsmagazine

Women online: The power and promise of tech #BalanceforBetter - Waking up to the benefits of diversity Why Cyber Security is a great career choice for women Always learning: Transitioning to cybersecurity A glimpse into my journey, from student to cyber security graduate NTT’s cybersecurity journey empowered by diversity Schools are the soft underbelly of Cyber and needs more focus Teaching cyber hygiene in schools A CISCO's journey to security transformation begins with consideration A new Author has emerged BOOK REVIEW – The Secure CIO BOOK REVIEWS – Troll Hunting BOOK EXCERPT – The Secure CIO The importance of valuing data Assumptions and Fallacies in Data Protection and Privacy OT Cybersecurity must improve in 2019 The Encryption Act Will Australia’s data protection authorities grow some teeth in 2019? Legal changes required for the cyber security landscape Zero trust security Monitoring threat actors The wrong hands: Biometric data and Its potential for misuse NSW cyber security - 2 years in review Cyber risk management in finance The power of the group in cybercriminal activities Penetrating real-time threat behaviour - Cyber analytics and the pen tester

SPECIAL EDITION IN RECOGNITION OF

@AustCyberSecMag www.linkedin.com/company/my-securitymedia-pty-ltd www.youtube.com/user/MySecurityAustralia

www.cyberriskleaders.com

www.mysecuritymedia.com

www.australiansecuritymagazine.com.au

www.aseantechsec.com

www.drasticnews.com

www.asiapacificsecuritymagazine.com

internationalwomensday.com @womensday #InternationalWomensDay #BalanceforBetter #IWD2019

www.chiefit.me

www.youtube.com/user/ MySecurityAustralia

(March 8) is an important day to celebrate women's social, economic, cultural & political achievements + call for gender parity.

www.cctvbuyersguide.com

Like us on Facebook and follow us on Twitter and LinkedIn. We post about new issue releases, feature interviews, events and other topical discussions.

DOWNLOAD NOW!

12 16 20 24 26 30 34 38 40 44 46 47 48 52 54 56 60 62 66 68 70 72 75 78 80 84

Editor's Desk Why I think more women in cyber security is a good idea |

’ve long supported involving a more diverse group of people in information security. I’ve not been alone, and it’s been really encouraging to see so much effort being done to achieve this, for example, by ensuring equal representation on panels, focusing on women at most industry events and some great initiatives like the Australian Women in Security Network (AWSN). Increasing the number of women in cyber security is often linked to the cyber security skills shortage. Presumably the idea is that more women will increase the total number of cyber security workers and help solve the ‘problem’. For me though, it’s more than just a numbers game, or a solution to the supply problem. Women and others from diverse professional backgrounds are essential in re-positioning security to make it fit-for purpose for the 21st century. Information security as understood by most practitioners, is about protecting the confidentiality, integrity and availability of information assets. To do that, you establish a secure perimeter, mostly using technological controls, excluding untrusted ‘outsiders’ and protecting weak and vulnerable insiders, often from their own stupidity. Ever hear that ‘users are the weakest leak’? If only we could get rid of those pesky users, life would be so much easier! With this view of information security, although we can talk about risks and harm, about threats and attackers, about cyber warfare, we find it hard to articulate the value of security in a positive sense. For me, this framing of cyber security as a defensive, on-going war against aggressive, sophisticated enemies is an exclusionist narrative and a major turn-off. Not only that, this view of the world is no longer fit for purpose. Women bring a much-needed new perspective to information security which will help our profession keep up with the changing needs of the community we serve. Many of the contributors to this edition are interested in social solutions: in looking at ways that people can be made to feel safe and secure, in building human resilience, in establishing teams, developing soft-skills, working with people to see how security can help them do their jobs better rather than get in the way. Even my review of regulatory responses and activity is

By Dr. Jodie Siganto

looking at the effectiveness of non-technological levers for behaviour change within security and data protection practice. Asking different questions can help re-formulate some of the fundamental principles of cyber security, so we can answer in a meaningful way some of the big questions like ‘What is it that information security enables organisations, people and our broader community to do?’;’What are the values we hold dear that information security supports?’; ‘What freedoms can we create through cyber security?’ If we could answer these questions, we could better articulate what information security means as a public good, and its value to us as individuals, to organisations and more broadly to our community. And with this shared view, we should be able to build a better, more resilient safer networked world based on trust and shared values. After that, we can move on to solving world hunger! Thank you to the ACSM for giving women in cyber security the opportunity to be heard and congratulations to all the women included. May our voices continue to be loud and strong for a very long time. For this issue we have gathered together an eclectic bunch of articles from many of Australia’s brightest and best women in security. We have content from academia to enterprise, from cyber security students to professionals in forensics and artificial intelligence, we’ve covered every contemporary topic that’s important to today’s professional. You’ll see regular contributors such as Annu Singh and Sarah James are back talking about some of their research, while new

ACSM contributors such as Connie McIntosh offer an interesting view on why cyber security is a perfect industry for women, and Jackie Mazzocato talks about how a keen focus on operational technology is needed in 2019, especially given the proliferation of OT and IoT devices in critical infrastructure and the mining and resources sectors. We hope you enjoy this issue of ACSM and if you have any questions, comments or just want to say hi to anyone on the team, drop us a note via our website. Jodie and the ACSM editorial team.

DOWNLOAD THE APP & HAVE A CHANCE TO WIN A BOOK GIVEAWAY!

WRITE FOR US! The Australian Cyber Security Magazine is seeking enthusiastic cyber security professionals who are keen on writing for our magazine on any of the following topics: • • • • • • • • •

Reac h over out to 15 indu ,000 profe stry s per msionals onth !

Digital forensics in Australia Workforce development Security in the development lifecycle Threat management and threat hunting Incident management Operational security Security book reviews Risk management True crime (cybercrime)

If you are interested in writing for us, please send your article pitches (no more than 200 words) to the editors’ desk at: editor@australiancybersecuritymagazine.com.au

Interested in Blogging? You may or may not be familiar with our website, which also provides daily infosec news reviews, as well as our weekly newsletters. We’d like to hear from anyone who’d be interested in contributing blog posts for our platform that reaches out over 10,000 industry 8 | Australian Cyber Security Magazine

professionals per month, where you can express your opinions, preferences, or simply rant about the state of the cyber security world. If you stay on topic and stick to the facts, we’ll be happy to publish you. If interested, email the editors at : editor@australiancybersecuritymagazine.com.au

AUSTRALIAN CYBER SECURITY MAGAZINE - INTERNATIONAL WOMEN'S DAY

AUTHOR'S AND CONTRIBUTORS

Mihoko Matsubara

Brenda van Rensburg

Nicole Murdoch

Maryam Jafari Lafti

Connie McIntosh

Dr. Brigitte Lewis

Jane Frankland

Sharmane Tan

Sarah James

Daisy Sinclair

Jackie Mazzocato

Magda Lilia Chelly

#BalanceforBetter

ALL WOMEN SPECIAL EDITION Katherine Robertson

Jacqui Nelson

Annu Singh

Julie Inman Grant

Jacinda Erkelens Jodie Siganto

Maria Milosavljevic

Pip van Wanrooij

Claire Pales

Jamie Lee MacDonald

Ridhi Garg

Kylie Watson

Jane Lo

Emily MajorGoldsmith

Australian Cyber Security Magazine | 9

Bringing all of the MSM channels together on one platform for the latest and greatest in security, technology and events from across the Asia Pacific and the world. Now available on Apple and Android platforms.

Commenced in November 2017, the Cyber Security Weekly Podcast has surpassed 120 interviews and provides regularly updates, news, trends and events. Available via Apple & Android. Over 55,000 downloads in the first year.

EXCLUSIVE MEDIA PARTNERS

A dedicated channel for Boards, C-Suite Executives and Cyber Risk Leaders to highlight cyber threats as a key business issue.

Event opportunities in Sydney, Melbourne, Brisbane & Singapore providing attendees a special experience and additional takeaways, including podcast interviews and print media. Visit www.cyberriskmeetup.com

The Australian Cyber Security Magazine was launched in agreement with the Australian Information Security Association (AISA) to be focused on AISA’s 3,000 members, nationally and forms part of AISA’s national cyber security awareness and membership communication platform.

The Australian Security Magazine is the country’s leading government and corporate security magazine. It is published bi-monthly and is distributed to many of the biggest decision makers in the security industry. Provoking editorial and up-to-date news, trends and events for all security professionals.

The region’s newest government and corporate Technology and Security magazine, with a focus on the Southeast Asia region and the 10 ASEAN member nations

My Security Media rapidly expanded into the Asia Pacific Region with its sister publication – the Asia Pacific Security Magazine. It is published bi-monthly. It is available online to read by all and upon every issue release a direct link is sent to a database of subscribers who are industry decision makers.

Dedicated channel for all things about Drones, Robotics, Autonomous systems, Technology, Information and Communications

Technology channel partner ecosystem platform with a natural focus on Big Data, Internet of Things and fast emerging technologies

MySecurity Media can facilitate specialist round-table luncheons or breakfast sessions for up to 20 invited guests for high level discussion on Security & Cybersecurity themes, guided by the Vendor’s Leaders and accompanied with published content.

The MySecurity TV Channel delivers news and interviews for the Asia Pacific Security Magazine, Australian Security Magazine and Australian Cyber Security Magazine – and from across MySecurity Media channels.

promoteme@mysecuritymedia.com 10 | Australian Cyber Security Magazine

www.mysecuritymedia.com

The ‘go-to’ tool for leading professionals UP COMING EVENTS COURSES WEBINARS WHITEPAPERS SOLUTIONS

promoteme@mysecuritymedia.com

www.mysecuritymarketplace.com

Australian Cyber Security Magazine | 11

Cyber Security

Women online: The power and promise of tech By Julie Inman Grant Australia’s eSafety Commissioner

It’s 6am. You roll over and start the daily routine—touch the phone on, check the weather, scan emails and messages. Get up, shower, dress, have breakfast. Hustle the kids through their morning while arranging the day with your partner and checking the news online. Head out the door for drop offs on the way to work. Power through the to do list, checking Facebook, Twitter, news sites, messages and emails during the day. Look at recipes online for dinner ideas. Bask in a little Pinterest as you wind down for the day while noting what the kids are looking at online. Head to bed with a little Netflix on the tablet, and fall asleep—with two devices nearby.

his scenario is a common one. In Australia, a staggering 86% of households have home internet access . There’s much that appeals: technology has allowed us to expand our horizons in ways we could not have imagined only a decade ago. We now research, learn, read, watch, plan, play, share and communicate with friends, family, businesses and strangers online using a range of devices from smartphones to tablets, laptops, computers and gaming handsets. It’s a smorgasbord of entertainment, connection and experiences. There is a spectrum of benefits, from small-scale improvements in access and connection, all the way to opening up to previously unforeseen personal growth or overwhelming business success. The list is long and varied. But there is a flipside. For all the power that technologies have granted us, and the promise of improvements to our lives, there are also a range of shortcomings. And while negative experiences

12 | Australian Cyber Security Magazine

online are not solely the domain of women, females are unfairly represented as victims of cyber abuse and targets of appalling online behaviour. As an example: research conducted by the Australian Bureau of Statistics showed that one in four Australian women has experienced emotional abuse from a current or former partner, and one in six Australian women has experienced violence from a current or former partner . In most cases this abuse and violence includes the use of technology to abuse, control and stalk . Of the one in five Australians who have experienced image-based abuse—when intimate, nude or sexual images or videos are shared without the consent of those pictured or are threatened to be shared—women between 18 and 24 years are most likely to be the targets . Women are also more likely to be targets of personal, sexual and genderbased cyber abuse than men. In a recent research project, my office looked at the experiences of women from culturally and linguistically diverse (CALD) backgrounds and found that these women experience similar difficulties online, but also face additional barriers when it comes to seeking support for technology-facilitated abuse. Researchers noted a number of reasons for this: language barriers, a lack of trust in state institutions—based on experiences from their home country, not knowing what services are available to help, low digital literacy which heightens vulnerability to technologyfacilitated abuse and a lack of awareness that technology may constitute a criminal offence. Interestingly, the impacts of technology-facilitated abuse on CALD women are not

Cyber Security

As we mark International Women’s Day we have a meaningful opportunity to share the issues women experience online and the pathways available to help them to seek assistance, work on solutions and find support. This is what the Office of the eSafety Commissioner aims to do—safeguard Australians at risk from online harms, ensuring that everyone is supported to engage safely online.

targets . Women are also more

For a safety culture to be truly effective, we need to embrace security as a core concern also. And, as security professionals, we have a responsibility to lend our knowledge and influence to this fight and encourage this kind of change within and outside our organisations. Together we can help improve the world online.

likely to be targets of personal,

Safety by Design

'...women between 18 and 24 years are most likely to be the

sexual and gender-based cyber abuse than men. ' substantially different to the impacts experienced by other women. But social isolation may be amplified for CALD women where fear of shaming is particularly strong . These issues are not exclusive to women, and nor are they any less significant for others in our communities, but it is worth noting that they are more prevalent. As we mark International Women’s Day we have a meaningful opportunity to share the issues women experience online and the pathways available to help them to seek assistance, work on solutions and find support. This is what the Office of the eSafety Commissioner aims to do— safeguard Australians at risk from online harms, ensuring that everyone is supported to engage safely online. At the Office our role extends from offering a complaints service for young Australians who experience serious cyberbullying to identifying and removing illegal online content, tackling image-based abuse, commonly referred to as ‘revenge porn’ and ‘sextortion’, and working with industry to place safety at the beating heart of product development—what we call Safety by Design.

Safety and security It’s worth noting how safety, security, and indeed privacy intersect and overlap. From my 17 years of experience at Microsoft I know that safety used to be the poor cousin to security and privacy. Thankfully, as online services and platforms become more broadly aware of user needs, the tide is beginning to turn. Users are increasingly fed up with the lack of civility online and fearful about exposure to inappropriate content, conduct and contact. In the Venn diagram of the responsibilities and concerns of the safety and security communities, there is a large overlap which, I would argue, is growing. Safety is a natural companion of security: safe practices are secure ones.

Safety by Design evolved from our acknowledgement that in order to improve protections for users online, we need not only their awareness of safety concepts, but the greater involvement of service providers themselves. We need to drive up standards of user safety within the technology community, to encourage consistency and standardisation. Developers, engineers, and online service providers play an incredibly important role in shaping online environments— and our safety within them. Our Safety by Design (SbD) initiative aims to provide online services with a set of realistic, actionable and achievable measures to better protect and safeguard users online. It includes the SbD Framework and SbD Principles: a model template and benchmark for industries of all sizes and stages of maturity, providing guidance to incorporate, enhance and assess user safety considerations throughout the design, development and deployment stages. They place user safety as a fundamental design principle that needs to be embedded from the start. In 2018, a detailed consultation process with industry, trade bodies and organisations with responsibility for safeguarding users, as well as parents, carers and young people, helped to guide the development of SbD Framework. The broad aim was to ensure that all aspects of user safety are considered in a meaningful and practical way. We have since refined the SbD Principles and now look forward to the next stage of this program where we will work with industry and others to ensure user safety is embedded into the design, function and content of services.

Online safety, for all Australians Safety by Design is an ideal complement to the many audience-specific programs already provided by the Office to help educate all Australians about online safety. These include comprehensive and targeted content for: • parents and carers through the iParent website • older Australians on BeConnected • educational resources and training for schools • reporting for cyberbullying • reporting of illegal online content

Australian Cyber Security Magazine | 13

Cyber Security

• • • •

research to: support, encourage, conduct and evaluate research about online safety for Australians collect, analyse, interpret and disseminate information about online safety publish reports and papers relating to online safety for Australians.

For women, we have developed specific programs—eSafety Women, IBA and WITS—to address some of the most harmful issues we face online.

eSafetyWomen In 2016, the eSafety Office launched eSafetyWomen—a program which includes extensive web-based resources, workshops for frontline service workers and an online training program to help women impacted by technologyfacilitated abuse. eSafety Women provides practical tips and information on how to secure online accounts and devices, as well as the red flags women should look for if they feel they’re being tracked or stalked online. The website includes a diagnostic technology check-up, more than 50 ‘how-to’ videos, case studies, and a range of interactive tools to help users understand the technology in their lives, and how to stay in control. The eSafetyWomen workshops are another important part of this program. Targeting frontline, specialist and support staff in the domestic violence sector, the workshops aim to equip them with the knowledge, skills and resources to empower women to better protect themselves against online abuse. Demand for our workshops continues to be strong, reaching more than 7,200 frontline workers in 400 workshop sessions by the end of 2018. In order to help the Office reach as many professionals as possible, we have also launched an online LMS which can be accessed anytime, anywhere. ‘eSafetyWomen—online training for frontline workers’ provides greater access to training resources and allows for more in-depth, interactive learning.

5 for women aged 18 – 45 years, and 1 in 4 for Indigenous Australians. The impact of image-based abuse is severe. It not only affects victims’ mental, physical and emotional wellbeing, it also impacts on their relationships with family and friends, their jobs, and education. In some cases they’ve had to move interstate to escape the devastating feelings of shame and humiliation. To help those experiencing image-based abuse, the Office created world-first web content offering victims access to the resources they need. The simple and intuitive site offers victims and their friends and family a range of valuable information, links and tools to help them deal with image-base abuse. It also presents a range of pathways for victims to take action against the perpetrator and, if necessary, access support services or legal assistance. Legislation introduced in September 2018 has strengthened the Office’s powers to combat image-based abuse, with civil penalties for corporations who host the material, and individuals who share it.

WITS Women Influencing Tech Spaces (WITS) is the third key Office initiative for women. It aims to protect and promote women’s voices online. Launched in May 2018, WITS works to empower women with the psychological armour to counteract cyber abuse and interact online with impact, confidence and resilience. It provides seminars and a website highlighting women’s personal stories of cyber abuse, as well as links to support and access to reporting services. here is much being done, but so much more that we can achieve to help women, and our wider communities, to be safe online. As we celebrate International Women’s Day I ask you to consider whether you, and the women in your life, are both safe and secure in online interactions. Where this is not true, look for the gaps and aim to learn more. Where there is abuse online, see how you can support and offer assistance. With a mindful, shared approach we can craft a safer, better future. Together we can help improve the world online.

Image-based abuse For more on the eSafety Office, visit www.esafety.gov.au Another form of technology abuse adversely impacting women and girls—as well as Australians more broadly—is image-based abuse. Image-based abuse is when an intimate, nude or sexual image or video is shared, or is threatened to be shared, without the consent of the person in the image. While colloquially coined ‘revenge porn’ or ‘sextortion’ in the media, this is a misnomer which places blame on the victim and could not be considered ‘porn’ as it is not created for the broader prurient interest. In 2017, the eSafety Office conducted a 4,000 person survey, including qualitative research with frontline workers and victims, and desktop research, to help inform the new image-based abuse web content and resources. Research showed that 1 in 10 adult Australians have experienced this insidious practice . This significantly increases to 1 in

14 | Australian Cyber Security Magazine

Cyber Security

App now available on iTunes & Google Play DOWNLOAD NOW!

DOWNLOAD & HAVE A CHANCE TO WIN A BOOK GIVEAWAY!

www.australiancybersecuritymagazine.com.au Australian Cyber Security Magazine | 15

Cyber Security

#BalanceforBetter - Waking up to the benefits of diversity

T By Jane Frankland CEO of Cyber Security Capital and Founder of the IN Security Movement

oday is International Women’s Day and all over the world women are marking the day with events and celebrations. From marches, rallies, conferences, networking events, and online discussions, women and their allies are reflecting on the advancements they’ve made this past year, as well as the actions they’ll need to take to promote a ‘society free of oppression, exploitation and sexual violence.’ The campaign theme for 2019 is ‘Better the balance, better the world,’ with a hashtag of #BalanceforBetter. Looking back at last year and what women in cybersecurity tell me they want for this year, it seems fitting. Having travelled the world as a keynote speaker, author and consultant, I’ve spoken to thousands of women and men, and witnessed some incredible diversity initiatives. I’ve also devised my own when there was a need. And with my insights, it’s these I want to share with you. So, let me start with the good news. The industry is finally waking up to the benefits of diversity, particularly that of gender. There’s a growing recognition for diversity of background and experience, and that the arts, social sciences and computer science need to come together. More and more hiring managers and leaders are talking about STEAM rather than STEM. Neurodiversity, a concept where neurological differences including Dyspraxia, Dyslexia, Attention Deficit Hyperactivity Disorder, Dyscalculia, Autistic Spectrum, Tourette Syndrome, and others, is now being valued, too, just as any other human variation.

16 | Australian Cyber Security Magazine

Diversity isn’t just being talked about either. Governments and forward-thinking businesses all over the world are beginning to implement diversity initiatives and track progress. To say this excites me is an understatement. Focusing on diversity isn’t just about doing what’s right for minorities. It’s good for society. Diversity offers a strategic and competitive advantage to business. For example, teams are more productive, innovative, and cost-effective compared to homogeneous teams. Reports show gender and cultural diversity offers a 35% performance improvement, which is significant. When we examine gender diversity, risk and cybersecurity, countless studies show us that women and men gauge risk differently. Women are far better at assessing odds than men, and this often manifests itself as an increased avoidance of risk. As women are typically more risk averse, their natural detailed exploration makes them more attuned to changing pattern behaviours – a skill that’s needed for correctly identifying threat actors and protecting environments. They also don’t fall for attacks that are being written purely for men. Research reveals that women score highly when it comes to social and emotional intelligence. Furthermore, that the collective intelligence of a group increases with more women. Women are super proficient at remaining calm during times of turbulence – a quality that’s required when breaches and major incidents occur. Women are able to use their intuitive thinking skills to make good decisions

Cyber Security

quickly and without having all of the information, too, which is a requirement of a world that values speed, agility, and is on the cusp of the Fourth Industrial Revolution. But, as men tend to be more pragmatic with their thinking, what matters is that no one gender is better than another. It’s simply that men and women are subtly different, and when we come together to solve problems, we do a better job. We make faster progress (in terms of risk mitigation) and are less blindsided. Weak. Looking at initiatives for women, last year was undoubtedly a good year. I saw many more women’s groups springing up, and more women networking, leaning in, going for promotions, and negotiating for fair or better pay. On Women’s International Day last year (2018), I formally launched my book, IN Security. Bringing journalists and supporters together for a sell-out event, I raised awareness, garnered support for the IN Security Pledge and took the book to an Amazon best-seller status. The book is still selling well, and importantly it’s doing its job. It’s working for women by empowering them. It’s helping women to feel not so alone. And, encouragingly, more women are growing in confidence and grit as a result. They write to me every single day to let me know. I’m immensely proud of the huge impact the book is making, and the transformation my forthcoming IN Security training programmes will have. Looking at programmes around the world, several stood out. The first is the UK’s NCSC’s CyberFirst Girls Competition. The progress it’s been making year-on-year

is impressive. Last year, 4,500 girls (1,200 teams) between the ages of twelve to thirteen entered the competition. This year the numbers are continuing to rise, with more than twice the amount of schools entering and three times the number of girls. In the USA, Palo Alto Networks and the Girl Scouts launched a variety of cybersecurity skills programmes for girls aged between five to twelve years old, with badges – up to eighteen of them – upon competence and completion. Young Scouts are now being taught about data privacy, cyberbullying and how to protect themselves online. Older Scouts are developing coding skills, creating firewalls and learning about hacking. Then, there is the Women in Cyber Mentoring Events (WICME) programme, run by the Australian Government. In conjunction with businesses, education providers and the research community, a two-day event showcased the breadth and depth of a cybersecurity career. Including keynote speakers, panel sessions, immersion courses, demonstrations, networking and mentor matching, the WICME programme created a safe space for women to share stories and career experiences. During the event I spoke at last year, I witnessed Amy Roberts and Lynne Moore from the Australian Cyber Security Centre, and Jessica Woodall and Jennifer Stockwell from Telstra working tirelessly to provide mentoring to the next generation of women looking to excel in cybersecurity. As a result, many more women are choosing to continue with their cyber studies or gaining internships. WithYouWithMe is another innovative venture that’s continuing to make steadfast headway under the direction of Michelle Mosey. Delivering diverse and talented individuals into the cybersecurity workforce, the company is upskilling underutilised staff, like veterans and women, and getting them ready for new careers. It’s clear that all of the programmes and initiatives I’ve mentioned are helping to move the needle on gender diversity in cybersecurity. In fact, according to organisations like (ISC)2, Forrester Research and Cybersecurity Ventures women in cybersecurity are now estimated to be anything from fifteen to twenty four percent of the workforce – a rise from eleven percent. Whilst this is a better story to tell, and should give us reason to celebrate, the bad news is we still have a long way to go. As the not-for-profit organisation, FitT said in their 2018 gender diversity report,

Cyber Security

“Equity is constantly being derailed by a range of largely cultural factors. Initiatives don’t work unless organisations also address; resistance to change, implications of culture, unconscious bias, societal norm.” Diversity is a complex affair. Bias and abuse, such as harassment and bullying are rife in our global cultures. With a strong attack culture, they’re built into the fabric of our organisations and the events we attend. And, it’s of no surprise to discover that cybersecurity tolerates discrimination very well. It’s hardwired to marginalise minorities, particularly women, and people are comfortable turning a blind eye. We witnessed issues at the RSA Conference in San Francisco. With around 45,00 attendees, only one female keynote speaker was featured – and this was the former White House intern, Monica Lewinsky – someone who had no cybersecurity experience. With uproar and few people turning a blind eye, Alex Stamos, Facebook's Chief Security Officer took to Twitter and proposed a list of sixteen female speakers RSA could invite. Ignoring his suggestion and without a change, Our Security Advocates (OURSA), a oneday rival conference was set up. I, too, experienced harassment (trolling) when I Tweeted about the women in red dresses at Infosec and stood up for women. It led me to bring the industry together and create a global code of conduct for event organisers. Aligning with the Time’s Up Movement and Now Australia, its purpose is to ensure that all people, especially women, are kept safe from inappropriate behaviour, such as bullying, harassment and assault at cybersecurity events. Guaranteeing care and support, it sets a standard of behaviour that can be expected of event attendees, speakers, sponsors, partners, facilities staff, and organisers. Now in four continents, it’s being supported by a multitude of organisations including Black Hat, the Cyber Security Challenge, (ISC)2, SANS, FiTT, AISA, AustCyber, the Australian Cyber Security Centre, the Now Movement, AWSN, The Security & Influence Trust Group, Women Speak Cyber, Cyber Riskers, Brainbabe, CyberSN, Rela8te Group, Habitu8 and Telstra. Time will tell as to whether it’s successful, but one thing is for certain, we have to establish rules as beliefs follow behaviour. Additionally, women are the barometers in our workplace. They are the canaries in the cage. If the culture of an organisation, event, or for that matter industry, has scores of women not joining, attending and leaving, then there is undoubtedly a problem with culture. And, whether it’s inclusion, harassment, entitlement or bias we must pay attention, for performance, revenue, profits and stock prices will decline. And this is why we must stop making gender diversity about minorities and start being clear. It is poor leadership driving poor culture and underperformance. It’s why we must change the dialogue. By focusing on ‘women in’ and gender diversity, we alienate prospective allies and divide a depleted, non-unified workforce. As I repeatedly say, ‘words are powerful’, and sadly, when we use these words or phrases – even when we say ‘men are welcome’ we signal we are not inclusive. And, this past year, I’ve not only seen this but felt a growing animosity whenever the words ‘women-in’ or ‘gender diversity’ have

18 | Australian Cyber Security Magazine

been used. Both men and women seem tired of them, and a widening gap in trust is emerging. As more women are speaking up in the aftermath of the #MeToo movement and women’s marches (which is good), many men are feeling uneasy, too. It’s leaving them feeling bitter, uncertain or even confused about where they fit in and how to behave with their female colleagues. And, this is why I’m calling for a different approach as to how we tackle gender diversity in cybersecurity. As I presented in South Africa on Women’s Day, I became enlightened. I was reminded of the Rainbow Nation, a term coined by Archbishop Desmond Tutu to describe post-apartheid South Africa, after South Africa's first fully democratic election in 1994. Elaborated upon by President Nelson Mandela, the term was intended to encapsulate the unity of multi-culturalism and the coming-together of people of many different nations, in a country once identified with the strict division of white and black. We are at a time in our cybersecurity evolution where we need something similar. The wounds both inflicted and received through disrespect and dishonouring of the both genders need to be healed. As women we need to unite with the dominant group – men – and pull in our male allies. All too often we rely on minority groups to fix what’s wrong. But what research tells us is that when they point out unfairness about their treatment, they’re actually less likely to be listened to or believed. Known in psychology as the Complainer Effect, the only way to rectify this is if someone from a dominant group speaks up and points it out. Now, I’m not suggesting that men need to charge in and play a liberator role. That would be disempowering to women. But what they can do is join the mission and help us end the patriarchy. For what’s good for women is good for men. As women, we must, therefore, unite. Together we are stronger. Only then, will we be able build a safer world in cyberspace and fully prosper. About the Author Jane Frankland, CEO of Cyber Security Capital and Founder of the IN Security Movement Jane Frankland is an award-winning entrepreneur, international speaker and best-selling author. She has spent over twenty-one years in cybersecurity, built and sold her own hacking firm and been actively involved in leading industry accreditations, schemes and forums. She is the founder of Cyber Security Capital, and regularly trains and advises executives at indexed companies and fast-growing start-ups on business strategy and high performance. She is also the Founder of the IN Security Movement, a world leader in how to attract and retain more women in cybersecurity, a top 20 global influencer, board advisor, judge, and a LinkedIn Top Voices. She is regularly featured in media across the world. Valuing freedom, empowerment and entrepreneurship she believes that increased diversity in cybersecurity will lead to greater performance. This is why she wrote her Amazon best selling book, 'IN Security: why a failure to attract and retain women in cybersecurity is making us all less safe.' You can learn more about her at www.jane-frankland.com

Cyber Security

Australian Cyber Security Magazine | 19

Cyber Security

Why Cyber Security is a great career choice for women Cyber Security is truly a great career choice for Women, I know this because: 1. I am a woman 2. I work in Cyber Security By Connie McIntosh Manager Cyber Security Operations

ell that’s stating the obvious isn’t it…. I have worked in most areas of IT and focusing on Cyber Security for over eight years and loved every minute of it, so let me tell you a little about my journey to Cyber Security. Whilst studying my Bachelor of Information Comms I landed a role in what could only be described as a golden opportunity to work is a small multifaceted and highly talented team made up of mostly former Australian Defence staff. I was given the opportunity to get my hands into everything literally; from building servers, managing databases, hand splicing fiber optic cables, building pin cables, cryptography, rekeying safe combinations, building fixed and portable networks, setting up routers, switches and installing networks and systems with security by design.

20 | Australian Cyber Security Magazine

Climbing under desks, in crawl spaces, getting electrocuted because a power board had no back and, of course, I grabbed it with two hands…. Even that didn’t deter me in the slightest. I thoroughly enjoyed working in Parliament House, it has an incredible energy. It seemed however that no matter how many times I’d walk through the basement I’d still get lost. I spent many years doing this work through a few Government Agencies including Finance, Defence and Federal Attorney General’s Department. Whilst at AGD a role came up in CERT Australia, the Federal Government’s Cyber Security Agency at that time. I relocated to their Brisbane office to work with a great team of professionals focusing on Systems of National Interest and Critical Infrastructure, after five years of a four hour a day commute to Brisbane I decided I needed to be closer to home. I was very fortunate to get to work with the most amazing teams in the University of the Sunshine Coast’s Information Technology Department as Manager of IT Systems. Within three years of being at USC, two of the most wonderful, innovative and entrepreneurial people Dr Scott Snyder

Cyber Security

"What we really need to do to encourage more women to choose Cyber Security as a career and we must stop propagating the myth that you have to be a coder to work in CyberSecOps you DO NOT."

Chief Operating Officer and Professor David Lacey were instrumental in creating USCâ&#x20AC;&#x2122;s inaugural Institute for Cyber Investigations and Forensics. https://www.usc.edu.au/ institute-for-cyber-investigations-and-forensics Professor David Lacey needs no introduction in this industry he is both Director of the Institute and IDCARE. I am the Manager of Cyber Security Operations and together we are building a world class cyber forensic laboratory, teaching Cyber Security and running operations. We have an aggressive two-year plan to have a showcase where we can host students, researchers and commercial operations in the Institute for Cyber Investigations and Forensics. Our teaching program is like no other in Australia, we have a teaching staff of incredible expertise. We have Professor David Lacey who is a Professor in Cyber Security and leads the field in Forensic and Identity, Leah Mooney one of Australiaâ&#x20AC;&#x2122;s premier Cyber Law specialist, Dr Graeme Edwards a former Queensland Police Officer, published Author and cyber forensic expert and Dennis Desmond in identity security and management, data security,

intelligence and defence. His experience includes United States Special Operations Command, special agent in cyber investigations for the FBI, an intelligence officer in the United States Army. To compliment the teaching team, we have Brock Hill and Andrew Edmonds; our Cyber Security Technical Analysts. What I would love to see is not only more women in my team, but more women in Cyber Security generally. Why you might ask? Well women bring a new perspective and different ways of looking at all areas of Cyber Security. Whilst participating in Panopoly, a Hackathon at the SIG conference, with my team at CERT Australia, it really opened my eyes to the fact that we all have ways of approaching threat hunting or analysis and that women do think differently and that women really compliment the men in ways of working to achieve faster outcomes. Women think outside the box and most will also bring some fun to the team. What we really need to do to encourage more women to choose Cyber Security as a career and we must stop propagating the myth that you have to be a coder to work in

Australian Cyber Security Magazine | 21

Cyber Security

CyberSecOps you DO NOT. Now let’s be clear, I’m not saying that coding isn’t a great tool to have in your toolbox, but it is something you can learn on the job and is only truly necessary if you are looking to work at specialising in the areas of: • Penetration testing • Threat hunting • Reverse Engineering Malware And even then, you have so many tools at your disposal. There are many roles where it would be incredibly unlikely that you would write any scripts yourself, • Cyber threat intelligence • Security Operations Center (SOC) • Cyber Incident responder • Cyber Security operations • Cyber Security Compliance • Security architecture • Vulnerability and patch management • Network defender • Cyber Security risk assessment • Cyber Security auditor As you can see the breadth of roles is vast and some are more technical than others, but what we must agree on is that we need to stop telling school aged girls that they need to be into STEM or be a Coder to work in Cyber Security, we need to “tell it like it is and sell it like it is” if we want to see more women join this amazing career path. Whether male or female there is something I believe that is essential - you need to be PASSIONATE! Curiosity is also helpful when hunting and investigating - issues, bugs, problems, abnormalities, patterns etc. and it is possible to do that with any background. I’d hire someone passionate and inquisitive and train them up before I’d have someone with a coding skill and lack of passion to work in my teams. Passion can be spotted a mile away and it’s all about personality meeting something that excites you. I can tell you first hand that working in a team of passionate cyber operatives is like never working a day in your life, it’s fun, exciting, it’s time elusive, it builds the penultimate team. I can say that the Cyber Institute is everything plus passionate and I feel so incredibly blessed and know that each and everyone on the team chooses to be there, they don’t have to be there. My aim is to reach as many school aged girls to help them see what brilliant and vast career opportunities are available to them in Cyber Security. Even if they are wanting to do Law, I want to let them know they can specialize in Cyber Law. Mentors are incredibly important to nurture the next generation of Cyber Security professionals, I want girls to know that there are female mentors out there who have paved the way and are happy to help them find their passion. What we need is consistent messages to be spread out in the media and through business that stop the myths about Cyber Security and show that there are opportunities for girls who may not have realized what a fun and rewarding career Cyber Security really is and that it’s achievable for anyone you just need to find what area you are passionate about. I am always happy to help others and chat about all

22 | Australian Cyber Security Magazine

thing cyber. You can connect with me on LinkedIn https:// www.linkedin.com/in/cyberconnie/ About the Author Connie McIntosh is the Manager Cyber Security Operations at the University’s Institute for Cyber Investigations and Forensics. Connie was Assistant Director and Senior Technical Advisor at CERT Australia – the Australian Federal Government’s Computer Emergency Response Team for five years responding to incidents, intelligence gathering, information sharing, partnering with Critical Infrastructure owners to protect systems of national interests. Connie has worked in a number of Government Agencies working with Defence grade encryption, secure systems, dark fibre networks, greenfield secure teleconferencing. She is a hands on experienced field operator; having performed a range of field operation tasks such as key management, safe combination changes, routing network changes, installing and configuring secure field equipment. Connie was part of a review team who updated the Australian Government’s Information Security Manual. Connie holds Masters and Bachelor Degrees in Information Systems. Professional memberships · Australian Information Security Association · Australian Computer Society · Women in Cyber Jutsu Teaching areas • Cyber Security

w w w . m y s e c u r i t y m a r k e t p l a c e . c o m

Cyber Security

The go-to tool for leading professionals

‘You’re the hero’

• View all national and international security events • Promote your event on the home page • Upload whitepapers

www.mysecuritymarketplace.com Australian Cyber Security Magazine | 23

Cyber Security

Always learning: Transitioning to cybersecurity

E By Jacqui Nelson CEO, Dekko Secure

very day Jacqui Nelson, CEO of cybersecurity start-up Dekko Secure, thinks of a gem she heard on a trip to Israel last year: “Go as fast as you can. Then slowly, go faster.” Considering Dekko’s rapid growth since launching in May 2018, the mantra seems a good fit. Jacqui’s own path to Dekko, however, was much more incremental. When Jacqui began her career on equity trading floors in the early 1990s, heading a company wasn’t part of her plan. “I never thought, ‘Okay, I’m going to be CEO of a company’. I was more, ‘If it works out along the way, if I’ve got the right skills and I’m the best person for the job, then…’” And she certainly wasn’t striving to break any glass ceilings. “That’s not my style,” she shrugs. “I’ve just kind of grown into it.” Jacqui first encountered Dekko in 2016 when her investment consortium took on the small start-up as a seed venture. Dekko’s co-founders Dmytro Bablinyuk and Jay Haybatov were developing a cloud-based encryption platform when Jacqui, then a business expert – and a complete tech novice ¬– met the pair. “My kids still laugh at the fact that I work in IT yet struggle to change channels on

24 | Australian Cyber Security Magazine

the TV on a good day! But like many people, I was worried about global privacy. I was worried about our personal freedoms being under threat, about losing control of who has access to our data and how they use it.” One of her concerns was that Google, Dropbox and other platforms could decrypt user data at will because the companies’ administrators manage users’ encryption keys. Dmytro and Jay had another idea: Dekko would generate user-only access keys, so that even the start-up’s own engineers would be unable to decrypt data exchanged on the platform. This way, they could take human-guaranteed privacy – then considered the apex of data protection – and replace it with system-ensured security. Jacqui was fascinated with Dmytro and Jay’s ideas. They had “deep maths, very deep computer science backgrounds,” she recalls. “They were so different to me, but I really liked them.” The feeling was mutual. As concerns about data protection became more widespread, Dmytro and Jay realised they would have to scale, and soon. Dekko needed someone with a commercial sensibility to introduce it to the world, so they turned to Jacqui.

Cyber Security

“I’m very aware of what I don’t know. So I reached out to people and said, ‘I have no idea what I’m doing here ¬– can you please help me?’ And soon, I realised I didn’t need deep technical capability. My strengths were very different.” At the time, Jacqui was transitioning out of actively managing the successful corporate merchandising company she’d founded two decades prior, Paper Scissors Rock. She was hungry for new opportunities but wasn’t sure about taking the role. “I was acutely aware that I didn’t have any

deep technical knowledge. In fact, I joined the organisation with a view to finding someone else – the right person – to do the job.” In retrospect, Jacqui believes this was imposter syndrome talking. “I’m very aware of what I don’t know. So I reached out to people and said, ‘I have no idea what I’m doing here ¬– can you please help me?’ And soon, I realised I didn’t need deep technical capability. My strengths were very different.” Today, Jacqui’s tech knowledge is extensive. But it was her strategic mind, and her thorough understanding of compliance and risk management, that turned Dmytro and Jay’s idea into a marketable product – one that would revolutionise the way its corporate and government clients approached data protection. This is a message Jacqui wants other women to hear – women like her, who are attracted to the high growth IT industry but worried about their lack of tech knowledge. “Every experience you have – building a business, working in a big organisation – it’s the same skill base, just executed in a different environment. At the end of the day, you’ve got your product, and you take it to market.” But if the skills the IT industry needs are so transferable, why aren’t more women transitioning across? In 2018, just 28 per cent of the tech workforce was female. “I don’t think there’s been visibility around access to leadership roles,” Jacqui explains. “If I hadn’t been an investor in a tech company, I would never have believed I had the skill set to run one.” “Then again,” she points out, “we’re 50 per cent women in CyRise – a cybersecurity start-up accelerator Dekko was honoured to join last year – which is awesome. Interestingly though, the CEO – who picked us – said it wasn’t deliberate. In the same way, I’ve chosen three unbelievable mentors, but I had to look at it to realise I’d actually ended up with three women.” “The way I see it, if we all bring our best selves – regardless of gender – to the workplace, we can build organisations where men and women work together to drive significant change. The discussion around women in leadership today isn’t a women’s issue. It’s a human issue.” Human issues have always been close to Jacqui’s heart. She got involved with Kids in Philanthropy – a nonprofit that empowers children to create positive change in the world – in 2012, and looks forward to Dekko developing its own philanthropic fund one day. “Even now, our product really does make a difference. We empower organisations and citizens to control, manage and protect their own data. And that’s a really cool space to be in.” So, despite Jacqui’s initial reservations, she’s staying put. And has the CEO’s imposter syndrome gone away? Not entirely. “In fact, I recently suggested to our board, ‘You know I want to run Dekko, but I’d still like to bring a CEO in above me.’” A strange request perhaps, but it made sense to Jacqui. “It’s a bit like the Deputy PM,” she explains. “I feel they probably get more done than the PM. And I like getting stuff done.” Needless to say, the board didn’t entertain Jacqui’s suggestion for a moment.

Australian Cyber Security Magazine | 25

Cyber Security

A glimpse into my journey, from student to cyber security graduate

his article will shed some light on my personal journey into the workforce. Here I share my experiences, things I felt helped me, and initial observations.

By Jacinda Erkelens

How I felt about cyber security when I started my degree When I received an offer I felt relieved. Although cyber security was included in my course structure, I didn’t perceive it as a career I would pursue. In fact, I avoided the idea of being involved in cyber security. The main reason for this was my father. Before anyone gets ahead of themselves, my father never discouraged or attempted to sabotage any potential career path. He was very supportive of me throughout my studies. However, he has had a career in information technology (IT) since the early 1980s and from my understanding, was relatively well known. As advanatgous as this could be for me, career wise ,I never wanted to live under my father’s shadow.

26 | Australian Cyber Security Magazine

Non-traditional methods of study Competitions & hackathons: I find competitions and hackathons rewarding challenges, which encourage out of the box thinking. The Sydney Cyber 9/12 Student Challenge is a huge reason I have pursued a career in cyber security. This competition was initially brought to my attention via an email sent by my university. After a few weeks, one of my friends asked if I wanted to compete with her. Together we recruited a team (three security studies students and one IR/politics major student). We also required a coach who was an academic or an individual with experience in cyber and/or IT. Too intimidated to ask any of the lectures at university, I inserted my father’s information under the “coach” section. This competition was a brand new experience for all of us. We were fortunate my father was able to give up time out of his busy schedule to assist the team, including coming into university before the competition and being with us on the final day of the competition. The ‘kick-off’ evening before the event gave us an opportunity to meet

Cyber Security

other teams competing. At the end of that evening, we felt like little fish in the ocean. During the first day of this competition, everyone on the team was prepared but nervous. After round one, we felt we did alright but didn’t think we would make it to round two. We spent the rest of the day allocating essay proof reading to other members. However, this did not occur. To our amazement, we received ‘best decision document’ and ranked second. For the whole evening we were elated with the results, and many congratulations followed into the evening. During the semi-finals, again we had a repeat of the first day; we stuck to our policy recommendations and used a RAG chart. Again we were ranked in second, putting us in the finals. Then it became serious; we were locked in a room and needed permission to go to the bathroom to prevent cheating. Although we did not win, being the only undergraduate team in the finals was a win for us. This competition also afforded me the opportunity to meet some incredible people in the industry.

Conferences & summits During my final year of university I attended several conferences, including, BSides, AISA and Mpower, just to name a few. In addition to hearing/learning from a range of industry experts, each conference I attended had its own unique benefit. For example, ACSC fell in the same semester I was able to study my cyber security unit. I was able to use the information I acquired during the conference for some of my assessments, enhancing the quality of my work and subsequent grade. The MPower summit had to be one of the most interesting experiences. A result of my enthusiasm for cyber security, I was asked to co-present a panel about how people enter the cyber security industry. An exciting opportunity, I was intrigued to see behind the scenes of these types of events. I ended up playing a larger role than initially expected; I was asked to come up with questions, assist with determining the order and who would be asked those questions. This also gave me a real opportunity to be part of a team and learn from the panellists. The panel itself ran smoothly and I will forever be grateful for the opportunity.

during my final year. I also received a significant amount of support from the Optus Macquarie University Cyber Security Hub. The type of support varied. For myself the most notable were; the opportunity to help the Hub create a cyber security challenge for high school students, invites to events including presentations by German MPs, the ability to compete in CySCA in Melbourne and attend the AISA conference. The Hub, as we all called it, has significance for me as it was the bridge between academia and the cyber security industry.

My place in this industry Making up approximately 11 per cent of the cyber security industry, being female also has an impact when I am in an industry event or the workplace. During the first day of BSides, my peers would describe me as the girl in the orange shirt and the majority would be able to identify me. However, I had a much harder time physically describing my male peers. This signifies the extent of the gender gap within this industry. Often invoking delight, people are pleased to see a young women in the industry. Many state this, but some make it clear they would want to hire me primarily based on my gender. As advantageous as my gender can be, I would like to be hired based on my skill set rather than chromosomes. With my limited experience, I can say confidently, the fact I come from a non-technical background is more shocking than being a women in this industry. Explanations are usually required when I explain I did not study IT or software engineering; how and why questions are very common. For me explaining this is a double edge sword; when answering I can look passionate or frustrated. One of my goals over time is to increase awareness surrounding non-technical cyber security roles, because I feel these roles hold equal importance in any organisation and the community. Fortunately, I was offered and accepted a non-technical cyber security role with a large Australian telecommunications company. So far, my team is happy to have me, and I look forward to seeing what impact I have, in my team, the company and potentially in the cyber security community.

Support While I don’t think support is a necessity, it makes for a more comfortable and enjoyable experience trying to find your place in this industry. As mentioned before, my father was supportive of my career choice. In addition to being my team’s coach for the 9/12 challenge, he is someone I could bounce ideas off. For me, this was beneficial in both an academic sense, with assessments, and with any general advice. However, I would argue the most crucial support he, and my mother provided, was the ability to live at home rent free during my studies. This gave me additional time, to attend industry events or competition, and less stress. Many of my peers juggled full time study, work, financial and emotional pressures. Without the support from my parents, I doubt I would have achieved so many things

Australian Cyber Security Magazine | 27

www.cyberriskmeetup.com

Cyber Security

Cyber Risk Meetup VISIT

www.cyberriskmeetup.com

28 | Australian Cyber Security Magazine

Cyber Security

Modern workflow without modern risk Dekko is a web-based platform that relies on engineering solutions to provide privacy and security â&#x20AC;&#x201C; not anonymity, secrecy, or private cloud infrastructure. Dekko is easy to use, easy to implement and easy to manage. Dekko enables you to navigate:

Threat of intruders Accidental misaddressing Untrusted networks Lack of communication control Protecting your brand reputation Information privacy

Circles

Sharing

Control

Security

Isolate and discuss projects Control visibility Stop misaddressing

Share files with no size limits Share documents for approval Granular permissions

Branding Data sovereignty Audit capability

End-to-end encryption Two-factor authentication Completely user-transparent

The Dekko platform tools

DekkoVAULT

DekkoSIGN

DekkoCHAT

DekkoMAIL

w w w. m y s e c u r i ty m a r ketp l a ce.co m/p r o d u cts /d ekko s ecure

Cover Feature Cyber Security

NTT’s cybersecurity journey empowered by diversity

T By Mihoko Matsubara Chief Cybersecurity Strategist, NTT Corporation, Tokyo.

his article aims to present how a Japanese company, Nippon Telegraph and Telephone (NTT) Corporation, is now willing to share insights and seeking collaboration with other countries including Australia in the course of cybersecurity journey empowered by diversity. “Nippon” means Japan in Japanese. Dimension Data under the NTT Group is honored to have had the opportunity to contribute to G20 Australia in 2014 and contribute to Deakin University’s cybersecurity curriculum. Since Japan is hosting the 2020 Tokyo Summer Olympic and Paralympic Games and security is a key element for the success of the event, it is crucial for the country to enhance its cybersecurity and raise the global understanding of Japan’s cybersecurity efforts. Because everyone uses IT for their daily lives and business operations, cybersecurity is fundamental part of today’s digitized world. The borderless nature of cyber threats requires academia, government, and industry to work together with their expertise and innovative ideas beyond national borders. NTT is a global telecom company based in Tokyo.

30 | Australian Cyber Security Magazine

While it started out as a telecom company, the NTT Group now has a wider range of business operations from advertisement, cybersecurity, facilities, finance, IT services, urban development to mobile phone and telecommunication services. Over 960 subsidiaries operate in more than 190 countries with 280,000 employees. If all the IT services provided by different subsidiaries are combined, the total makes the NTT Group one of top five IT companies in the world. The magnificent scale poses unique challenges to the Group. Since each subsidiary has a different business focus and size, their cybersecurity posture varies from one to another. Continuous merger and acquisition also complicates the business culture and their communications. Thus, the Group needed to take three actions: first, redefining its cybersecurity strategy and vision; second, creating a common language on cybersecurity to communicate among each other; and third, providing a platform for cybersecurity professionals to network and collaborate among subsidiaries. First, NTT redefined its cybersecurity strategy and vision to overarch the entire NTT Group in 2018. In its vision,

Cyber Security

NTT is a global telecom company based in Tokyo. While it started out as a telecom company, the NTT Group now has a wider range of business operations from advertisement, cybersecurity, facilities, finance, IT services, urban development to mobile phone and telecommunication services.

cybersecurity is an enabler for digital transformation, not a cost center. As a global company, NTT is responsible to drive cybersecurity-embedded digital transformation internally but also for customers externally. Furthermore, NTT is strategizing cybersecurity to be a differentiator and a reason of choice for customers. It includes cybersecurity services for customers and 3,000 cybersecurity professionals in-house. However, it also covers cybersecurity thought leadership to share what we see and experience as a Japan-based global company with academia, government, and industry such as cyber threats and our and Japanese cybersecurity efforts. NTT is only one Japanese company, which has a dedicated cybersecurity thought leadership team. Although 100% security is impossible, cybersecurity efforts can be accelerated when organisations share cyber threats they encounter as well as their trial and error cybersecurity processes to minimize damages and learn lessons. This type of dialogues can lead to collective insights and consolidated industry voice rather than one companyâ&#x20AC;&#x2122;s concerns or interests. Government and academia would find it easier to prioritize cybersecurity

Australian Cyber Security Magazine | 31

Cyber Security

policy and education by listening to accumulated insights from industry rather than fragmented opinions individually. That is why thought leadership is imperative to reach out to potential partners with a shared value and collaborate with them. Second, the NTT Group chose the US National Institute of Standards and Technology (NIST) Cybersecurity Framework as a common language to communicate among its subsidiaries with diversified business size and focuses. The diversity makes NTT competitive and unique, obtaining various talents and culture. Given the business scale of the Group, the common language has to be global and comprehensive. The NIST Cybersecurity Framework was translated to Japanese in 2014. The Frameworkâ&#x20AC;&#x2122;s Five Functions, Identify, Protect, Detect, Respond, and Recover, allow the Group to be aware of which subsidiary has taken which cybersecurity measures and how much progress they have made. The NTT Group has the Chief Information Security Officer (CISO) Committee, which comprises of CISOs from NTT Holdings and major subsidiaries. Committee members meet every quarter to discuss current cyber threats, incident reports, progress on cybersecurity measures, and cybersecurity talents. This Committee uses the NIST Cybersecurity Framework to check the progress. NTT sent three speakers to the NIST Cybersecurity Risk Management Conference in Baltimore in November 2018 to talk about NIST Cybersecurity Framework adaptation at NTT and Japanese industry. Third, the NTT Group launched annual Cyber Security Practice Meeting (CSPM) to get together 100 cybersecurity professionals from multiple subsidiaries to network, build trust, and learn about cybersecurity concerns and projects in 2015. Since it is impossible to bring together all of NTT Group cybersecurity professionals at one place due to customer needs to satisfy, participants are selected, based on manager recommendation. This annual off-site meeting has been helpful to facilitate more dialogues and collaborative opportunities between subsidiaries over the last four years. 1.5-day meeting comprises of presentations by the leadership and guest speakers, workshops on sales and marketing, operations, and research and development, and dinner gatherings. Face-to-face meetings and exposures to internal and external insights catalyze the creation of comradeship and cooperation, especially after a few drinks. Diversity is heavily weighed to organize CSPM. Cybersecurity relies on multiple skills such as business risk management, consulting, cyber threat intelligence, incident response, leadership, Network or Security Operation Center monitoring, and sales and marketing. Not only NTT subsidiaries but also customers operate in different countries and culture. Respect to diversified perspectives matters. Thus, speakers --- both men and women --- were chosen from different teams and countries. The fourth CSPM led by Group CISO was held in Washington DC last fall and more than 100 cybersecurity professionals participated from 13 countries. The meeting aimed to create a common understanding of NTTâ&#x20AC;&#x2122;s cybersecurity vision and strategy; identify how NTT can

32 | Australian Cyber Security Magazine

become distinctive in cybersecurity; and strengthen the network of cybersecurity professionals beyond the border of subsidiaries and countries. Our cybersecurity journey has been not easy but also blessed with our diversity. We are keen to share our insights with academia, government, and industry to contribute to cybersecurity, education, and policy in the world and Australia. About the Author Mihoko Matsubara is Chief Cybersecurity Strategist, NTT Corporation, Tokyo. She is responsible for public advocacy to strengthen or expand networks with global thought leaders in academia, government, and industry by sharing NTT's and Japan's cybersecurity efforts. Matsubara worked at the Japanese Ministry of Defense before pursuing an MA at the Johns Hopkins School of Advanced International Studies on Fulbright in Washington DC. She is Adjunct Fellow at the Pacific Forum, Honolulu, and Associate Fellow at the Henry Jackson Society, London.

Overcome pertinent challenges to cyber security management whilst you develop the required security architecture and technology to counter cyber risks and threats

Risk Management: Implement strategies and techniques to integrated into your current strategy

Engage in project exercises with practical tips and advice on planning and implementing an effective strategy

10 REASONS WHY YOU MUST ATTEND THIS MASTERCLASS

Plan and implement an effective cyber security strategy and program

Improve your security architecture design and management

Enhance vulnerability assessment and management for your security operations

Hear recent cyber attack incidents globally and find out how you can prevent similar incidents

Understand how you can manage your cyber security vendors and leverage the most suitable solution

Security Infrastructure Hardening: Best practices and proven techniques Improve security network penetration and application and security testing

Learn how to roll out effective cyber security policies, procedures and frameworks

WHO WILL YOU MEET? This masterclass is designed for Heads, Managers, Engineers, Specialists and Executives from across Energy, Power & Utilities Companies: æ æ æ æ æ

Cyber Security Cyber Risk Management Systems Information Technology Information Infrastructure

æ Smart Grids æ SCADA Systems æ Transmission & Distribution æ Information Security æ Energy Infrastructure

Media Partners:

PHONE +65 6376 0908

Researched & Developed By:

EMAIL enquiry@equip-global.com

Australian Cyber Security Magazine | 33 WEB http://www.equip-global.com/

Cover Feature Cyber Security

Schools are the soft underbelly of Cyber and needs more focus

T By Pip van Wanrooij

he modern cyber battlespace now includes schools. In recent times there has been a trend towards cyber-attacks on softer targets, including educational institutions. Schools, as major users of digital technologies, web-based platforms, and data management systems, are being systematically targeted. The reality appears to be stacked in favour of the technically trained and well-funded bad actors. Disgruntled students are also inflicting highly damaging cyber-attacks, of their own. Recently, there have been a number of high profile attacks on schools in the Asia-Pacific region, amongst them Australia, Japan, India and according to the K-12 Cyber Incident Map there has been 415 plus cybersecurity-related incidents involving U.S. public schools since 2016 . In Australia K-12 school system, the focus has been predominantly related to dealing with cyber-bullying, image-based abuse, irresponsible online behaviour and developing a simplified cyber safety message. However, as technology-led classrooms rely upon software applications, web-based platforms and mobile learning technologies to facilitate learning, it also serves as an entry point for illicit harvesting of personal identifiable information (PIIs), and unregulated third party access.

34 | Australian Cyber Security Magazine

Schools hold sensitive and personal data points for teachers, staff and students. Online collaborative tools, including learning management systems, gradebooks, and emails lack significant privacy controls, access management issues and poor password control. Increased use of cloud services, POS terminals, tap and go technology, remote user access and social media platforms used by schools are vulnerable to unauthorised access and security threats. Passive data collection by thirdparty vendors and hackers accessing CCTV camera systems on school grounds is leaving students and teachers exposed.

Cyber threats continue to grow and evolve The sophistication and frequency of cyber intrusion and digital sabotage continues to evolve. Naivety to methodologies, compromised devices, software and hardware vulnerabilities allows systematic exploitation. Schools networks are increasingly targeted by ransomware, data theft and denial of service attacks (DDoS). The Cyber threat continues to grow and evolve due to the prevalence and sophistication of social engineering tactics, the multitude of smart-devices connecting to school networks, students improved hacking abilities and motivations, and

Cyber Security

'Schools hold valuable digital assets. Safeguarding of students, staff and school community stakeholders requires increased investment of money, time and learning opportunities. According to Fortinet, the education sector has recently surpassed healthcare and government as the industry that suffers most ransomware attacks.' various platforms and devices. A number of schools fail to implement basic steps to secure network and data. Furthermore educators and parents tend to have little comprehension of security risks that 24/7 access, mostly without supervision, can bring.

Need is great for community awareness program

overall poor cyber hygiene. The threat landscape continues to widen as schools make increased use of cloud based data management solutions, educational learning apps with little regarded passive data collection, and of multi-device connectivity.

Shifting the focus to schools Crime-as-a-service (CaaS) is exploding globally. Cyber intruders look for opportunities to exploit PII, sensitive data, medical records and financial information. This information is then available to be sold on the dark web. Identity theft and fraud using children’s details are increasing. Most user accounts are compromised by clicking on a link in an email, surfing the web, or careless password management. Social media networks oversharing, increased digital footprints, and multiple smart-device connectivity are rarely considered as a threat vector by teachers and parents. Schools and technology-led classrooms have become a gravy-train for data mining, unregulated third-party access, geo-tagging and access control challenges. However, reliance upon digital technologies across K-12 to facilitate the core curriculum is prioritised. Schools are caught up within the digital economy, where data is stretched across

The growth of information technology, without an equivalent investment in cyber education, has left everyday users ignorant and exposed to real world security issues. In Australia, state and federal government spending on alcohol, drugs, obesity, domestic violence programmes has been significant, but the investment in community cyber safety campaigns is abysmal. As each passing generation becomes immersed in technology the cyber security awareness gap widens. Schools and communities need to implement cyber safety education and data breach training need, as a matter of urgency. As schools, communities and homes become more IT-enabled, and as individual ‘economic entities’ in our own right, identifying areas of vulnerability and improving cyber resiliency will contribute to enhancing long term national cyber security. The nation of Estonia leads the way in strategy and best practice for navigating the digital world. Estonian e-government and information structure was built upon ‘future-proofing’ their citizens. Improving the digital skills of the entire population is part of the Estonian Lifelong Learning Strategy 2020. Digital competence and technological literacy across all levels of education is a governmental strategic objective for Estonia’s Information Technology Foundation for Education (HITSA). Many schools are limited by budgetary constraints and this has a trickle-down effect upon teacher and staff professional development and cyber security awareness.

Australian Cyber Security Magazine | 35

Cyber Security

Teacher (and student) digital savviness does not equate to understanding of the interrelationship of security layers, physical security through to cyber security. Across-theboard technological competency, understanding of network centric security concepts and cyber behaviour elements requires immediate attention. The K-12 school community and have been slow to identify and respond to cybersecurity challenges. As part of ‘Duty of Care’ and legal responsibilities, schools are required to take reasonable precautions to minimise any kind of safety risk to child, including exposure to online risks. Liability considerations are likely to get messy if the data security and privacy of school stakeholders is not maintained.

need to focus on dealing with the cyber security threat. Without political effort, changing the community public mindset is unlikely to occur. Ensuring schools and everyday users have the knowledge and skill to use technology purposefully and securely is intrinsic to societal stability. Living in an accelerated era of changing tech infrastructure, big tech companies, censorship, and layered reach of global communications will provide untold opportunities and potential misfortune. In an internet-powered digital economy, personal data sovereignty, cyber education and resiliency provides the key to the future of our communities and children. Without political support to enhance cyber security education, more individuals and schools are likely to become collateral damage.

The way ahead: K-12 cybersecurity awareness

About the Author Pip van Wanrooij is an educator and security focused professional with a background in higher education, research, technology and international engagement across various locales in Asia, Europe and Australia. She is currently in partnership with Western Australian district councils and collaborates with K-12 school communities on cyber literacy programmes, improving internet security and digital technology understanding and capability. As a speaker she has presented on cyber security awareness and data privacy at educational institutions, businesses and K-12 community. Article References Available.

Schools hold valuable digital assets. Safeguarding of students, staff and school community stakeholders requires increased investment of money, time and learning opportunities. According to Fortinet, the education sector has recently surpassed healthcare and government as the industry that suffers most ransomware attacks. Mistakes by education staff and third-party vendors, lack of digital literacy and cybersecurity awareness are creating access points for cybercriminals and hackers. Daily use and integration of online tools and smarttechnology has increased the urgency to educate a risk aware K-12 community. Policies and procedures for BYOD, network use and social media usage are continually addressed, however, school stakeholders (teachers, parents, staff and students) lack cyber security awareness training and the need to report mandated requirement to report data breaches. The way ahead, to improve K-12 cyber security awareness includes: • Mitigating school cyber threats requires improved cyber resiliency awareness across K-12 school through teacher professional development in cyber security awareness and age-appropriate cyber education. • Improved vetting of educational apps and handling of privilege and authorised access controls. • As there are significant differences between levels of federal and state school funding, state politicians need to raise awareness and find funding for schools in the form of gifting so it doesn’t come out of an already tight budget. • Follow security best practice approach , creating an environment that considers functionality, privacy, security and getting key infrastructure right at the outset through adherence to ASD principals. • Create a community cyber resiliency advisory/liaison that focuses on cyber health of schools within local communities and provides cybersecurity tips or guidance on protecting schools, students, parents, and smart-devices. In conclusion, despite cyber-attacks and cybercrime getting significant airplay in the news it has yet to influence political candidates at the state and federal level. All jurisdictions

36 | Australian Cyber Security Magazine

Cyber Security

Organised by

Industry Accolades

Australian Cyber Security Magazine | 37

Cyber Security

Teaching cyber hygiene in schools Give a man a fish and you feed him for a day; teach a man to fish and you feed him for a lifetime. - Maimonides

By Emily Major-Goldsmith Ambassador and Presenter at Edith Cowan University

As of 2018, the Australian Curriculum Council implemented a mass roll out of a new element to both the Primary and Secondary School curriculums. Gone are the days when children were taught only Mathematics, English, Humanities and Science. The digital age has brought with it the need for a new generation of teaching. Children from Kindergarten through to Year 10, are beginning to be taught skills within the digital technology sphere. The new curriculum teaches elements such as; acquiring, analysing and visualising data, understanding and designing algorithms, creating user interfaces, along with much more. The previous, now reformed, curriculum encouraged students to study digital technology degrees at university. However, pupils were entering higher education with little to no understanding as to what such degrees entail. Students left high school with very little knowledge as to the content of the degrees, or what digital technology encompassed. Hence, throughout university, students would have to learn an extensive amount of both basic and advanced skills to catch up to the required level of information and understanding needed to enter the workforce. Whilst this method left students with a good amount

38 | Australian Cyber Security Magazine

of information gathered, in most cases there was a lack of knowledge about how to apply it in real world scenarios. Our new generations will now be taught a sizeable amount of information regarding some important skills needed to navigate the digital world during Primary and High School, hopefully freeing up their university studies to focus on teaching more specific subjects, providing more practical and applicable knowledge and real-world experience. Although this appears to be a marked improvement on the previous position, for me it doesnâ&#x20AC;&#x2122;t go far enough. The focus still appears to be on the new technologies and their merits. What we are failing to do through education, and as a society in general, is equip young people with the skills needed to understand the dangers, the loop holes and the backdoors associated with digital technology. In this changing field of education - - If you teach a man to fish, you will feed him for a life time. What happens when you teach a child about digital technology? Will they end up being someone elseâ&#x20AC;&#x2122;s phish? Consider this â&#x20AC;&#x201C; if a fish is taught to swim, probably through watching its other sea creatures and being guided by its parents it, has gained a valuable life lesson. However, if it only ever learns how to swim, it is likely to swim too far and wander into shark infested waters. Now, if the fish had been taught to swim, but also been taught not to stray too far from its home base, to stay with the other fish and not to make friends with ocean predators, they could

Cyber Security

safely use their skill in life – to their advantage. Now, let’s swap the fish analogy and look at children; swap digital technology for the swimming lessons and the sharks for hackers, phishing scams and online predators. The child that has been taught of the dangers of the digital sphere, along with all necessary skills, will be at an advantage. The skills they learn in Primary and Secondary school will aid them in understanding the intricacies and challenges of the digital world, not just the exciting parts. This more in-depth lesson will focus on the risks and hazards and will allow young people to benefit much more, providing many more practical skills within digital education. There are unlimited dangers within digital technology. Those dangers are increasing exponentially. The truth is, despite my suggestion, even with the greatest lesson all these dangers and challenges cannot be taught. Things are moving too fast; the sea is rough, and the predators are getting bigger and smarter. What can be done though is raise the level of awareness about these choppy waters and their inherent dangers. The focus should be on teaching children - and indeed any users of digital technologies appropriate strategies for protecting themselves from the deep-water dangers lurking in the digital world. ‘Cyber Hygiene’ is a new term for everyday education, practices and policies that will assist users of digital technology to reduce risk. While most of these methods have been circulating for some time, placing them under an umbrella term can expand the range in which they are used and promote awareness. Cyber hygiene shouldn’t just be for IT workplaces, but for every business, school, library and home. Risk comes in many forms when it relates to Digital Technology. There can be risk to systems, to networks and to data. However, where there is risk, there can be mitigation. There are essentially two tiers to cyber hygiene – the first tier is that of education. Education here being the teaching of all individuals, not just the school children I referred to before, in methods that can be implemented to reduce risk when using devices – regardless of whether they are personal, shared or open for public use. The second tier of cyber hygiene is that of practices. By this, I mean it is all well and good being shown how to use technology, but this must be coupled with information about the risks that can occur and even being told HOW to mitigate and control the risks. Prevention, as they say, is better than cure. We need to help technology users think about ravenous sharks constantly, providing practical advice about the implications of not applying cyber hygiene principles. Education should include the risks to not only computers but also phones and other connected devices. Quite often these are forgotten about, but the issue here isn’t just laptops and personal computers. Each of these systems have specific vulnerabilities that can lead to different problems, such as misplaced data and security breaches. Explaining what these issues can mean in practice is helpful too. Explaining ‘what would that mean for me?’ is a good educational technique. Having people understand their data could be stolen, their bank accounts hacked, or, for the youngsters, a video game account breached, or their

favourite application becoming unusable will hit at the heart of the issue and can help messages to be more impactful. Whether it’s in schools or libraries, or even creating some basic rules for use at home within a family, it is a good idea to create a sort of Hygiene Policy. A bit like the one parents apply around teeth and hand washing. If its embedded and routine it will become second nature. Teaching disciplines like frequent password changes, choosing appropriate passwords or - even better - passphrases, updating software and hardware regularly, backing up data, limiting users, managing new installs, and so much more. Providing basic rules such as changing passwords every 30 days or checking for updates on a computer once per week can be the start of an embedded routine, a great basis for a more solid knowledge of the hygiene required to operate more safely in the digital world. So, for me, teaching cyber hygiene is the way forward. We can teach digital skills, we can extol the virtue of various technologies as they evolve to excite and benefit users of all ages. However, schools, libraries and homes really do need to follow the suit of many businesses in maintaining a sound security posture and making cyber hygiene a core discipline. Teach a child or any other user about digital technology and they might end-up as someone else’s phish. But when you teach them cyber hygiene, they won’t be caught by the [inter]net. About the Author Emily is a third year Cyber Security student at Edith Cowan University. Along with her studies, Emily is the Vice President of CoSIM - a student organisation aimed at connecting students with industry mentors. Emily also works under Edith Cowan University teaching High School Students a variety of Computer Science subjects. Emily enjoys encouraging others - women and young people into the science and mathematics arena and takes part in groups such as Kinetic IT women in IT events and Women in Cyber Security.

Australian Cyber Security Magazine | 39

Cyber Security

A CISO's journey to Security Transformation begins with 7 Considerations

M By Magda Lilia Chelly Managing Director of Responsible Cyber Pte.

agda Lilia Chelly is a CISO On Demand. Magda' latest two projects covered the roles of a Regional ISO Lead Implementer for a Fortune 500 (ISO 27001:2013) and an Information Security Officer role for a MAS (Monetary Authority of Singapore) regulated company covering Asia Pacific. Those projects gave her all the required expertise around regional and global regulatory landscapes, including privacy and cyber security legislations. It did also provide the experience of building standards, policies, aligning with local, regional and international requirements and regulations, including PDPA, GDPR, Cyber Security Act of Singapore, etc. Cyber Security transformation is a Cultural Change, and among experienced challenges by CISOs, we find business and employeesâ&#x20AC;&#x2122; resistance to change. It does affect the overall cyber resilience roadmap and the general cyber maturity of the company. So, what are the best and quick

40 | Australian Cyber Security Magazine

wins to overcome those barriers? Magda will share her own experience, failures and successes rolling out new cyber controls, from start-ups to Fortune 500 companies. This has been a really busy year for myself with all the emerging new cyber threats and my continuous responsibilities across the Asia Pacific region. I sometimes felt like I have done in a period of three years, what would be equivalent of 10 years. I have been constantly challenged and overwhelmed by requests from various business departments, or business lines following increasing cyber security controls within the organizations. And, this was definitely a very rich experience up to date. I have started my CISO journey with being a Chief Information Security Officer (CISO) for start-ups and small size companies. This would rather therefore be the equivalent of a security advisor role as those companies do not usually have extensive resources to manage. That said,

Cyber Security

soon as I thought I had a good grip on the responsibilities and my CISO role, something new came along and made me understand that it is a continuous learning journey. In spite, the abundance of cyber security headlines in the newspapers, my experiences proved that no matter what we see in those, our audience or the general public does not have the right knowledge neither expertise to deal with cyber security threats.

1. Do not assume - Explain fundamental concepts to the business During my usual trainings across the World to the general public excluding security and IT professionals, I did not hear a single person defining the concept of ‘’encryption” properly. In fact, people hear the “buzz” word, however, do not understand the real definition or meaning. Have you asked your audience “Please tell me what is the cloud ? “ before going into an intensive cyber security awareness session. If you did not, then do it and you will be surprised. Cybersecurity is a huge area, including various domains and areas. When you mention concepts that seem basic to you – as a cyber security professional – make sure that they become basic for your audience. This increases the efficiency of the training by far. Going through best cyber security practices without this crucial introductory phase will reduce your success and definitely reduce the audience interest.

2. IT and Security are in a Conflict of Interest most of the time

it did require to manage development teams and multiple vendors across the business. After those experiences, I have moved to a more mature role, with a CISO role for a MAS-regulated company in the insurance industry. This allowed me to learn a different environment with high expectations and requirements, where the main business priority was to reduce the in-house reliance and build an extensive ecosystem with external parties. Following that experience, I had the opportunity to continue with a role as a Regional ISO Lead Implementor for a multinational organization. The scope of the role and the responsibilities extended, tremendously, and I had the chance to work with the regional CISO for around a year. Today, I am proud to say that I have taken the role of a Business Information Security Officer for Asia Pacific. The description of my career journey is crucial for the next points that I will be addressing in this article. In fact, as

The goal of the IT and digital teams is facilitating business and realizing innovative projects faster. That said, it does also mean that security might be perceived in many cases as a business inhibiter. It makes sense that when including security in already scoped projects, it would extend the project timelines and slow-down the deliveries. Thus, have you presented cyber security as a business enabler? If not, you would need to start adopting this strategy in order to stay competitive and gain value and respect from the business. The shift here would be to make sure that security and privacy are not only presented as business enablers but also as risks’ mitigation. A combination of prioritization, standardisation and IT security frameworks would include security and privacy by design and smoothen its adoption at later stages. A very interesting aspect as well, would be to integrate security by default in any new user manual for newly adopted solutions. This is especially valid with all the cloud transformations, and I found it a good tip.

3. A One-Off Awareness Training will NOT be Cost-Effective Along the same lines as above with the user manuals, comes awareness training as well. It might seem obvious to many of CISOs that a one-off awareness training will not be sufficient, however, this habit still exists within the

Australian Cyber Security Magazine | 41

Cyber Security

companies. The organization spends an important amount to purchase a one-off phishing campaign followed by a oneoff awareness training. Research on the forgetting curve shows that within one hour, people will have forgotten an average of 50 percent of the information you presented. Within 24 hours, they have forgotten an average of 70 percent of new information, and within a week, forgetting claims an average of 90 percent of it. Source: Brain Science: The Forgetting Curve–the Dirty Secret of Corporate Training The CISO needs to build a transformational leader image. He or she must define a strategy to enable cyber change within the company and help integrate security best practices, within each department. Leading change might be definitely a complex task, especially in a multicultural environment. I have myself used a lot of lunch and learn events, cyber security drinks, posters, interviews, documentaries, online SharePoint websites, etc. and volunteers. This last idea of volunteers has not been yet implemented by myself but was suggested by a great leader and friend in the space. Bringing volunteers to help tackle cyber awareness and the lack of resources within an organization can definitely present a very good alternative to traditional approaches.

4. Development do NOT Necessarily mean Secure Coding Having the opportunity to work closely with development teams in start-ups and in Fortune 500 companies, the experiences shared one main conclusion. The developers do not necessarily have the security neither the privacy knowledge. Bringing in OWASP TOP 10 guidelines and providing policies will certainly help however it will not fix the main problem. Recognizing that the CISO role is to create a culture where security and privacy are adopted by default, would immediately lead to this consideration. I have had very positive feedback from development teams when I or a vendor ran “Secure Coding” training. That enabled the developers, and especially made them aware of the compliance and security requirements of the company and how they are active actors in achieving those with their implication.

5. Security Needs to have a Knowledge of the Regulatory Landscape Asia Pacific is an extremely complex region. The region varies and it typically includes much of East Asia, South Asia, Southeast Asia, and Oceania. Each of those regions have several countries with different cultures, legislations, and way-of-work. This complexity directly and indirectly impacts on conduct, innovation, security and data. Said that, for a regional CISO taking that scope on board, a main challenge would be defining and explaining those differences to the other counterparts in the World. In fact, as much as Asia Pacific is important and strategic for most businesses out-there, it might still represent a lower revenue stream and therefore lower considerations in terms

42 | Australian Cyber Security Magazine

of budgets, involvement, and initiatives. This in particular, becomes challenging with a region where privacy laws are different from one country to the other, for example the privacy law in South Korea is one of the most stringent and the Australian regulation requires data breach notifications, not mentioning the data sovereignty challenges and differences between countries. All those facts might require significant infrastructure changes, with an effective governance to balance both privacy compliance, and generated costs.

6. Security enables Privacy I have noticed during my last experiences, that there is sometimes a clear boundary between the Privacy Office and the CISO Office. I would tend to say that it must have clear roles and distinctions, however one is not able to work without the other. I have been as well providing privacy training, including PDPA and GDPR introductions. I help the audience understand the main concepts and the general requirements. That will absolutely help the communication with the privacy officer – A DPO assignment is mandatory in Singapore, for example, under the PDPA law – and build a smoother compliance roadmap. However, and undeniably, a privacy regulation like GDPR requires the involvement of various stakeholders, including lawyers. A cross-department communication plan needs to be build to create an effective compliance, starting from the data risk assessment and asset inventory to the security controls implementation.

7. Communication is Key and Needs to be Addressed across Business Lines and Departments Accepting the reality that the communication is a challenge for multinationals across various departments and various countries allows the CISO to build the right measures and approaches to design his/her own communication plan. I have mentioned already a SharePoint website and volunteers across the business lines. Those quick wins are fundamental for a smoother way to share the information between the concerned parties. The pace of three last years in Singapore was madly busy. I expect the pace of 2019 to be unreasonably crazy as well, bringing in more takeaways and lessons learned. I hope through my experiences, I have brought some practical points for the readers.

Cyber Security

We want to help build and maintain the pipeline of talented professionals and grow the security ecosystem

Help our future by supporting & joining us now CONNECTING - SUPPORTING - INSPIRING Join the conversation: awsn_au

www.awsn.org.au

awsn Australian Women in Security Network

Australian Cyber Security Magazine | 43

Cyber Security

A new Author has emerged! Shamane Tan shares her story in this exclusive reveal.

G By Shamane Tan APAC Executive Advisor at Privasec Founder Cyber Risk Meetups

iven that this is a special women’s edition, what better way than to share an exciting piece of news here. Last year, I started a weekly #coffeewiththeCSuite edition on LinkedIn. I enjoy my coffee chats as my learnings were accelerated through times like this. As the CxOs share their stories, I learnt about leadership. Influence. Execution. From the best of our leaders. I realised that more people need to hear their stories. To be able to have these confidential chats with the C-suite leaders on their challenges, to have them show me their strategies and get involved, I realised I was sitting on a gold-mine. There was all this wealth of insights and it struck me one day, “why not, put all of this together? It will benefit so many people!”. I learn best by stories, and these CxOs had many to tell. I was stirred. A childhood dream that had been stuck

44 | Australian Cyber Security Magazine

deep within me burst into flames. I then embarked on the arduous task of compiling all the coffee chats I’ve had over the years with the different Cyber Risk Leaders. I selected 30 C-suite executives from all over the world. One lesson imparted by a CxO from their entire twenty years of experience, multiplied by 30. That’s more than five hundred years of solid experience! All the top tips collected into a single book. I was enriched. Still, it was a long journey that took a lot of time, dedication, vision and belief. But I was determined. Before I knew it, I had a few offers from several publishers from the USA. I decided to go with our local favourite that specialises in this actual industry - the very same one that publish the same magazines that you’re now reading. I am honoured that this book will be the very first book they are taking under their wings. This is a book that has never been written in such a way before. The first of its kind.

Cyber Security

The Big Reveal I am delighted to officially announce that ‘Cyber Risk Leaders: C-Suite Insights - Leadership and Influence in the Cyber Age’ will be launching first in Australia, and then internationally this June. In this book, you will get up close and personal with 30 CxOs from around the world. Trade secrets are revealed from lessons learnt the hard way as life experiences unfold. In this collection, I explore the art of communicating with executives, tips on navigating through challenges, and reveal what the C-Suite looks for in their partners. This book will raise the cyber-quotient in our generations, and I am so excited to share this with you. In celebration of the International Women’s Day, the first 50 pre-orders will get a personal signed copy!

How It All Began CISO is a relatively new word. Most are still establishing the role in an ever-changing landscape. The CISOs in today’s modern world remind me of a TV series ‘Designated Survivor’. After a catastrophic event wiped out the entire White House and all the members of Congress, despite being a low-level cabinet member, the character must assume the seat of the Presidency. The nation was in a dire state postdisaster and the new stand-in President had to endure feeling the acuteness of his inadequacy every single day. Whilst dealing with scorns and condescending remarks from the press, and under the scrutiny of the ex-President who had finished his term, he had to take things in his stride and rise to everyday challenges. For a long time, he was just reacting to attacks and resolving problems. He did not have the time nor the capacity to act strategically. In the end, he mastered the skill of warfare. Importantly, during this journey, he gained the trust and respect of the whole nation as the one thing he never compromised on was his integrity. In many ways, I feel CISOs are in similar position. In today’s complex and ambiguous world, change is the new norm; threats are vague and impacts unpredictable. The CISO is on the frontline. In fact, in many of my coffee catch ups with them, there are a few that I detect a warrior aura about them.

managed to put together their top 15 most important tips be for anyone who is in our line of industry. There’s even a chapter called the CISO Kit that goes in-depth the different techniques that have worked on the Board. From the best ways of wielding your communication weapon, to the art of storytelling, dealing with the money issue, attracting talent, making use of intelligence, Cyber Risk Leaders is a result of years of hard work. It was an incredible ride at the same time. I had lots of fun writing this book - who wouldn’t! Especially if you get to sit with some of the most talented and successful leaders of today’s world. The book also covered some of our CISOs’ secret ingredients to their success, and at the same time, gives you a peek into their minds. In the bonus chapter, you will find out what are the big ‘no-nos’ when dealing with a CxO and what they’re actually looking for in a security partner. There is something unique at the end of every chapter. Look out for the ‘You Did What?!’ segment where I compiled some of the more ridiculous stories or silly mistakes that you’ve never heard, in today’s cyber age. You will definitely gain new insights to the world of the C-Suite. Watch this space and get ready for Cyber Risk Leaders, a book that will equip you in a relevant and most practical manner coming your way this June! About the Author Shamane is the APAC Executive Advisor at Privasec, a leading independent Security Consulting Firm in Australia and Singapore. She currently works with the C-Suite and Executives and examines various approaches in uplifting the corporate and individual’s security posture in this cyber age. Whilst also managing the APAC relations, she has successfully enabled businesses, as well as enterprises & agencies to be well equipped in key Cyber Risk aspects. Shamane has a passion for disruptive technologies and the human factor. As the founder of the Cyber Risk meetups across Australia and Singapore with over 1,500 attendees, her meetups offer Security Enthusiasts and Executives a unique platform to impart and exchange innovative insights. Shamane is also a huge advocate and champion for professionals in Cyber Risk sector and encourages people to look for new ways in which they can take a step forward.

The Chapters Cyber Risk Leaders reveals the individuals behind the army at the frontline of our battlefields. I get them to be real. Like the famous TED talk speaker, Brené Brown who spoke about the power of vulnerability, in this book, our CISOs talked about how they deal with challenges and fears. Our industry leaders are unafraid to tell it all; from where the CISOs have been missing the mark, all the way to their honest thoughts about dealing with the Board. I even flipped the table at some point, and roped in a bunch of CxOs to give advice to our Security leaders. Over the years, I have interviewed CISOs from all across the globe, the US, Europe, Australia, Hong Kong, Singapore and Israel. If you can have all these amazing global leaders together in the same room, what would you ask? Well, I

Click here to pre register for book signing

Australian Cyber Security Magazine | 45

BOOK REVIEW | by CHRIS CUBBAGE The Secure CIO: Reviews A great read for any organisations looking to hire Cyber Security senior leaders, as well a good read for those looking to move into those roles in future. ' - Dan Maslin, Head of Cyber at RACV Claire successfully blends her corporate, consulting and global expertise to offer an insightful and pragmatic approach to information and cyber security. Her independence is a draw card for clients as Claire provides objective recommendations which gain confidence with executives and Boards. Claire’s ability to build relationships and trust allows her to gain insights and deliver value sooner. - Anna Leibel, Executive Manager, Technology at UniSuper

THE SECURE CIO By Claire Pales

Published: 15th March 2018 ISBN: 9780648204794 AVAILABLE VIA BookTopia www.booktopia.com.au/the-secure-cio-clairepales/

There can be no doubt that this connected world presents some of the most challenging risks and brilliant opportunities. Securing an organisation so that its cyber security settings are appropriate is an issue that confronts all organisations – both big and small. The second biggest challenge in cyber security is how to find the right cyber security professional. Claire’s book is not only full of her insights which she has accumulated from years of experience but it is perfectly timed as the marketplace is awash with opportunities for security professionals. She not only addresses the importance of selecting the right cyber security ‘warrior’ but also provides readers with an enduring framework so that organisations, particularly their CIOs, understand that, with the right controls, culture and expectations, cyber security is a risk that cannot be eliminated but can be effectively managed. This is definitely a page turner!

is a wonderful asset. May this book inspire many others to follow in her footsteps. - John Finnan, Head of Payment Operations and Group ICT at MYOB Claire is unique within the infosecurity industry. Someone you can give almost any challenge and trust she will get it done well and with the utmost professionalism. She is an inspiring speaker, writer and coach. We have been absolutely privileged to have her as our AWSN National Events Coordinator and Melbourne events manager for the past 12 months where she has helped organise CSO roadshows across Australia and NZ, Gartner panels and local events. She has been an incredible coach who has helped me through many crises. - Jacqui Loustau, Founder, Australian Women in Security Network About the Author Claire Pales is the best selling author of “The Secure CIO” and Director of 27 Lanterns, a consulting company committed to helping organisations create and sustain effective information and cyber security teams. For more than 16 years, Claire gained experience establishing teams and leading awardwinning security strategies throughout Australia and Asia including Hong Kong, China and India. Claire’s focus is to grow and coach information security professionals and help businesses to establish exceptional information security practices. Based in Melbourne, Claire is a mum to four children, a sought after speaker, an industry writer and advocate for women in cyber.

- Rachael Falk, Cyber Security Adviser, Pace & Scale Pty Ltd From the very moment we connected with Claire, we knew she was the perfect fit to guide us in our cyber security journey. Aside from being an experienced, well respected and extremely passionate Information Security professional, Claire understands what makes individuals and organisations tick. Claire’s ability to combine technical expertise with an understanding of how to drive organisational change

Author Claire Pales

BOOK REVIEW | by Daisy Sinclair

TROLL HUNTING By Ginger Gorman Special thanks to Hardie Grant Publishing for the giveaway copies. Published: 1st February 2019 ISBN: 9781743794357 AVAILABLE VIA BookTopia www.booktopia.com.au/troll-hunting-gingergorman/

Troll Hunting is a true story of the writer and former ABC journalist, Ginger Gorman who had been working on a cross-media project on discrimination against LGBTI people. She interviewed Peter Truong, Mark Newton, and their five-year-old son. This interview, in 2010, took place in the northern suburb of Cairns. It turned out that the couple was lying about their son and stated that the son was born to a Russian surrogate mother they found on the internet. Instead, they were a part of pedophile ring who sexually abused the child. The couple were prosecuted in 2013. An outcome was that Ginger Gorman was shamed online and amongst many hateful tweets, she was called a pedophile collaborator. She was the target and became the subject of an orchestrated online hate campaign and received many numbers of hateful online tweets, including death threats. Troll Hunting is one of the most moving books I’ve ever read. As a Cybersecurity professional for more than ten years, I am very familiar with online radicalisation and the behaviors around it. This book reminds me of one of the discussions I had with my previous supervisor, Mr. Philip Victor, about this very subject and how likely cyberbullying will impact future generations. Getting to the second chapter, online radicalisation was my first thought. Reading and getting to know Mark and Craig, the first Australian trolls that Gorman met in person. These two have completely different personalities to when they are online. When online, they sturdily enjoy hurting people! After two years, Gormans’ fear subsided, and she decided to professionally carrying out research and in-depth understanding of her online attackers. It turned out that the research was way more complicated than she ever thought. The deeper she dug, the more she realised how impossible it was to separate the harm we can come to online, with the harm that we suffer offline. In one of Gorman’s cases, academics apply the term “suicidal ideation”, describing the correlation between digital harm and the serious consideration or attempt of suicide. Anyone can be vulnerable to extremism and radicalisation - children in particular. According to www.educateagainsthate.com - “As they grow and become more independent, it is not unusual for them to take risks, explore new things and push boundaries. Teenage years are often a time when young people will be searching for answers to questions about identity, faith and belonging, as well as looking for adventure and excitement. Extremist groups know young

people are vulnerable and may claim to offer them answers, identity and a strong social network, and using the internet and social media to spread their ideology”. It’s important to know the factors that make people, importantly, our children, more vulnerable to radicalisation. Factors such as struggling with a sense of identity, experience racism or discrimination, difficulty in interacting socially and lacking empathy are amongst a few to look out for. Any of these issues including external factors such as community tension and having friends or family who have joined extremist groups are all contributed to process of radicalisation which makes children to believing that extremists’ claims are the answer to their problems. A highly recommended read and hope you’re lucky enough to get one of the free copies. About the Reviewer Daisy is the Founder of Cyber8Lab Pty Ltd. She has more than fourteen years professional experience in International Cooperation, Information Security & Cybersecurity, IT Training and Business development and IT Project Management.

Download the APP for a chance to win a FREE Copy - App Competition to be held 15 March 2019

BOOK EXCERPT The Secure CIO

hen I began asking CIOs what problem they were solving by hiring a security professional, the answers didn’t surprise me. Responses such as ‘The audit and risk committee told us a recent audit showed we need to address cyber risk better, and this included hiring a leader to take responsibility’ were common. Some responses focused on domain expertise, having an expert to define the strategy and mitigate the organisation’s security risks. Some of the less common responses were that a security leader was needed to advise the CIO and that security awareness was key to their remit. The overwhelming majority spoke about protecting the customer. This is a great place to start as a rationale for having a security team and a security leader. If you put protecting your customer at the heart of what you do, your reason for being will be similar to that of the sales, marketing, finance, and operations teams: retaining the customer. Protecting the customer also means retaining your reputation in the market and ensuring the resilience of systems to continue operating through threats and incidents. The point of this chapter is that no matter what your reasons are for bringing in a security leader, you are prepared to back this leader in their pursuits to deliver. You don’t want to hire a scapegoat. You don’t want to

What is your why? ‘If you hire people just because they can do a job, they’ll work for your money. But if you hire people who believe what you believe, they’ll work for you with blood, sweat and tears.’ - Simon Sinek, author hire one person to do the job of many, and you don’t want to hire a security leader so the organisation can wear it as a badge of good corporate citizenship. Hiring a security leader takes work, some of which needs to be done before they arrive. Understanding what you need them to do, what they will be stepping into, and how you plan to support them emotionally, financially, and organisationally is incredibly important. Yes, these leaders are grown-ups;

it’s not their first security gig (in most cases) and they can probably get the motor running themselves within the first few weeks. However, if you have done the hard thinking, understand where the organisation is at (and not just through audit findings), and you have considered the impact this new leader will have on your organisation, positive and negative for some, you and the other c-level leaders will also benefit. I can hear you thinking, ‘But isn’t that what I’m hiring a security leader for, to do the hard thinking, to understand where the organisation is at, and to have a positive impact on the organisation?’ Yes. But if no one has agreed on expectations before the leader arrives, even if they are a replacement leader, there will be months of confusion, constant knockbacks for funding, and a great deal of frustration. Companies often excitedly bring in permanent security staff without considering where the team is coming from (or going) and what outcome they require. Asking new staff to come in and ‘make it secure’ isn’t enough to entice qualified security people from jobs where they are valued. Without knowing how the business got to where it is today, and what the path ahead looks like, it is impossible to recruit effectively for security-related roles. This forces some hiring managers to seek candidates who are more senior or specialist than is required, with possibly a bigger price tag than is necessary. Companies with clearly articulated security goals can give candidates an understanding of the value they can bring by joining the business. This also creates opportunities to seek candidates without traditional security backgrounds who may offer skills that better align with the required business outcomes. It’s your responsibility to see the job vacancy as more than purely filling a role. There is nothing more frustrating than beginning a job in security only to find that before you can deliver any results, you must first justify your existence. Companies define a bigger picture for marketing or product development, and security is no different. No matter whether it’s a simple strategy or detailed roadmap, clear commitment to more than just security staffing leads to a sustainable security function and less likely attrition. The detail may change over time. but if hiring managers have enough information to be honest with themselves about why they are hiring, and honest with the candidate about the near- to medium-term expectations, incoming security staff will have a sense of their fit with the security culture and the priorities of the employer. With this in mind, why are some organisations not forward thinking about a better story to attract and retain the right security people?

Key takeaway Decide on your why. Make sure that no matter why you’re bringing in a security leader, you are prepared to back them in their pursuits to deliver against your rationale, agenda, and future strategy. I have been fortunate in my career to arrive in roles that have strategies – or the bones of one – already thought through. I then take the time to review the documentation and ensure the strategy fits the business, is up to date with

Security maturity ‘Seek first to understand, and then be understood.’ - Stephen Covey, The 7 Habits of Highly Effective People

the business strategy, is realistic, and is one I can be proud to deliver. As a new leader coming into an organisation, it gave me great confidence that in the absence of a security leader or team, an organisation had invested in understanding their security maturity and what they might need to do to improve. This was certainly a ‘pro’ when it came to deciding which roles to take on. Of course, there are security leaders – leaders in all professions – who like to write and seek endorsement for their own strategies, end to end. This is fantastic. Even if the new leader wants to create their own roadmap, any documentation the organisation can provide, including reviews and literature, helps in the strategy planning process. Context, politics, documentation, and stakeholder opinions are vital artefacts. Existing strategies will always be affected by those who deliver them, and on occasion I have made changes to ensure we were taking the organisation’s security in a relevant direction. Also, my strengths lie in security awareness, leadership, and communication with all levels of the organisation. If any strategy missed these key elements, I ensured that communication outside of the security and IT teams was planned for and achieved. Any new leader wants to make their mark on the organisation. How they do that will be up to them. But arriving to some form of plan helps guide the incoming leader as to the organisation’s security risk and what fires need to be put out first. This needn’t involve extensive time and financial investment. Most CIOs, with some guidance from this book, can ascertain the organisation’s high-level concerns. At the interview stage, ensure you provide enough insight for a new security leader to know what they are stepping into and what quick wins they can concentrate on. I call these areas the ‘big rocks’. Stephen Covey talks about the big rocks of life, and the idea comes from him. In essence, the big rocks are points of focus, areas to address that make the biggest impact. There will always be room for ‘sand and pebbles’, but addressing the big rocks takes away a large percentage of the security pain your organisation may be feeling. The next couple of chapters will help you to understand how to identify these big rocks, of which I would recommend having three. In many cases, they become clear quite quickly. Here are some examples gleaned from experience and also through interviews with CIOs. The list is by no means exhaustive.

In a start-up: The focus for the security leader may be on vendor management, application security, security of third party engagements, and basic network security. Itâ&#x20AC;&#x2122;s less likely to be about compliance and audit. In a newly digital organisation: Application security, incident response, security awareness, and cloud security may be the big rocks.

In a utility: Big rocks could be defined as understanding IT and OT (operational technology) security, security awareness, and security monitoring/incident response. The Agenda The big rocks form the major part of the agenda. The agenda is not a strategy. I repeat, the agenda is not a strategy. The agenda sets the scene for the new leader and provides some facts, opinion, and context to which they can anchor in their first few months. The agenda forms the major part of the handover documents for the new leader (discussed in chapter 17). Imagine joining an organisation as a chief financial officer and no one giving you any idea of the financial state of the company. You have no staff, no background, just some outdated policies and full accountability to keep the organisation financially secure. This is what security people face every day, and if we could work towards giving them an agenda on which they can get off to a brisk start, this benefits not only the new leader but some of their peers. Handing the new security leader a wad of audit reports is not the same as providing them with a security agenda. It serves a much different purpose. While audit reports provide important background and clarity on the key risks and the remediation recommended, they cannot replace an agenda that has been created with more than compliance in mind. The agenda can cover details of interviews with leaders; a reflection of security against the values, mission, and strategic direction of the organisation; details of the current state of security and what is already in place (policies or technical controls); the big rocks; the opinions of leaders about the type of security leader needed and some valuable activities the new leader could kick off in line with the three big rocks. The agenda plays one more role. If the direction to hire a new head of cyber or information security has been handed down from an audit and risk committee, or the board, the agenda shows that action has and will be taken immediately to begin addressing the security risk. While waiting for a new security leader to arrive, conducting interviews and gathering information have already started the conversation within the organisation. Stakeholders will know change is coming and that they are contributing to that change. Facts uncovered may lead to work that can be carried out immediately by a technical staff member or contractor. Life can go on while recruitment takes place, and any progress towards a more secure organisation can be reported to the board/committee until the new leader arrives. And when they do arrive, regular, engaging strategic

updates to the board and executive are key. This way, when incidents happen unexpectedly, the board is already aware of the head of information security and the progress made towards improving security. Key takeaway The agenda provides a set of relevant facts regarding the security status of the organisation. While it is not a strategy, audit, or risk assessment, it pulls together details for the new leader to review. Understanding what the big rocks are, and what led to their identification, helps give the new leader some context and provides them with a strategic starting point.

CCYYBBEERR RRIISSKK LLEEAAD DEERRSS FF O O RR U UM M Bringing BringingBusiness Business&&Technical TechnicalDrivers DriversTogether Together

ASD ASD TOP TOP 4 4 COMPLIANCE & PRIVILEGED ATTACK VECTORS

WHITELISTING WHITELISTING

PATCHINGAPPLICATIONS APPLICATIONS PATCHING

PATCHING PATCHINGOS OS

The TheBusiness Business Driver Driver ::

Thursday Thursday 11 11 April April || 2:00pm 2:00pm -- 5:30pm 5:50pm Murphy Room Sofitel Darling Harbour Murphy Room - Sofitel Darling Harbour 12 12 Darling Darling Dr, Dr, SYDNEY SYDNEY

NSW NSWGovernment GovernmentCyber Cyber Security Security Strategy Strategy - - Watch Watchaalive livehack! hack!How Howcyber cyberhackers hackersinfiltrate infiltrate an organisation’s network and exploit privileged an organisation’s network and exploit privileged credentials credentialsto tomove movelaterally laterallyand andgain gainaccess accessto to aa database. database. - - Real Realcase casestudy: study:How Howto tosieve sieveout outnoise noisefrom fromreal real events in the cybersecurity arena. events in the cybersecurity arena. - - Privileged PrivilegedAccount AccountSecurity: Security:The Thelast lastlayer layerof ofdefence defence should shouldbe beyour yourfirst. first. - - Understand Understandthe theAustralian Australianframework frameworkand andhow how mitigation strategies will help you to protect your mitigation strategies will help you to protect your organisation organisationfrom from85% 85%of ofthe theintrusions. intrusions. 81% 81% of of hacking-related hacking-related breaches breaches leverage leverage stolen stolen or or weak weak 11 . This is consistent with other breaches that have passwords passwords . This is consistent with other breaches that have hit hitAustralia Australiaand andthe theIndo-Pacific Indo-Pacificregion regionin inrecent recentmonths. months. SingHealth SingHealthisisaarecent recentexample exampleof ofhow howunprotected unprotectedprivilege privilege credentials can be exploited to cause havoc. With credentials can be exploited to cause havoc. With insights insights on on how how the the attackers attackers operated, operated, we we can can now now enforce enforce the the right rightsecurity securitycontrols controlsand anddrastically drasticallyreduce reducecyber-risk. cyber-risk. But But where whereshould shouldyou youstart? start? This This forum forum isis designed designed for for business business and and technical technical drivers drivers of of the the cybersecurity cybersecurity program program within within government government and and enterprise enterpriseorganisations. organisations.ItItisisan an ideal ideal opportunity opportunity to to come come together togetherto tounderstand understandthe theapplication applicationand andimplementation implementation of ofthe theASD ASDTop Top44and andmeeting meetingthe theEssential Essential8. 8.

PRIVILEGES PRIVILEGES

A AG G EE N D A 2:00pm 2:00pm

Registration Registration && Introductions Introductions

2:15pm 2:15pm

Opening Opening && Welcome Welcome

2:20pm 2:20pm

“Why a critical critical part part of of the the IT IT security security strategy” strategy” “Why PAM PAM is is a Guest Guest Speaker Speaker

2:45pm 2:45pm

Live “LiveHack! Hack!How Howhackers hackersinfiltrated infiltratedSingapore SingaporeHealth, Health, and exploited privileged credentials and exploited privileged credentialsto tosteal stealthe the medical patients, including including the PM’s. PM’s. medical data data from from 1.5M 1.5M patients,

3:45pm 3:45pm

Lessons the Lessons from recent Recenthigh-profile High-Profilebreaches. BreachesHow - How the Australian Australian framework framework can can help help your your organisation to to protect 85% intrusions protectagainst from 85% of of thethe intrusions

4:15pm 4:15pm

How Howto tomeet meetcompliance compliance with withthe theASD’s ASD’s Top 4 and & open discussion (Chatham House Open discussion (Chatham House Rule Rule applied)

5:00pm 5:00pm

Close Close and and Networking Networking Drinks Drinks

We Welook lookforward forwardto toyou you22joining joiningus, us, Chris ChrisCubbage CubbageCPP, CPP,CISA CISA

SUPPORTED SUPPORTED BY BY

Director Director&&Executive ExecutiveEditor Editor MySecurity MySecurityMedia Media

Verizon’sData DataBreach BreachInvestigations InvestigationsReport Report(DBIR), (DBIR),2018 2018 Verizon’s Attendanceisiskindly kindlyrestricted restrictedand andlimited limitedtotogovernment governmentand andcorporate corporateteams teams Attendance currentlytasked taskedwith withworking workinginininformation informationsecurity securityororinformation informationtechnology technology currently 22

Cyber Security

The importance of valuing data

T By Sarah James

his article gives an overview of the importance of data, what happens when we use data incorrectly and discusses how protecting your data can make a difference. organisation. What happens when we use data incorrectly and how can protecting your data make a difference? This article gives an overview of the importance of data.

Why does data matter? Can we measure how much data is worth? Can we measure how much someone cares about data? An idiom comes to mind “One person’s trash is another person’s treasure”, the data we throw away can be just as valuable in a world where data is the new oil (or not, depending on your perspective). What one person may think is worthless, may be cherished or exploited by another. Value is different for every person and every organisation. What you and your organisation values, has an impact on the security of your organisation. We protect what we value. In The Good Ones: Ten Crucial Qualities of High Character Employees, Bruce Weinstein identifies our core values for individuals as: gratitude, honesty, care, presence, patience, accountability, loyalty, humility and courage. We all weight these differently depending on who we are and what we are doing. A lapse in concentration can change the way in which an action is interpreted, being aware of doing the right thing at all times is necessary and the value of the outcome will certainly increase with the thought that has been applied. Whilst values are hard to measure quantitatively with data, it is important to think about values in relation to people and consider how security may be affected. The values of an organisation can be considered as part of a security and data strategy to protect its most

52 | Australian Cyber Security Magazine

valued data. We all value data differently, and data makes an impact to us and the work we do in many ways. How we think, act and deliver affects how we use data in order to prove or disprove hypotheses. We can create a bias in both our data selection and our data analysis and potentially, bias the results. This can affect the way a business transverses the highs and lows of a volatile environment. We all favour a certain type of data. My own preference is locational or spatial data. Some may prefer financial, others performance data, some may even like to see the production data. We can correct bias if we become aware of them. Every data scientist works with data in a unique and subtle way. Not everyone values data in the same way as others. Data scientists use data every day and sometimes they need to stop and remove their lenses that can create bias, to be open minded to new datasets and methodologies, and provide the best data insights that we can find. Data Scientists work with subject matter experts to validate the data and to help AI to learn to classify and disseminate the data quickly and effectively. Decisions that are made wisely can have a greater impact; changing processes rapidly, deploying solutions iteratively and releasing value sooner for a business. Data scientists are integral to the analysis and understanding of data, but they are far from the only people affected. People in different roles in an organisation are likely to value data differently. How a decision maker e.g. the C-Suite would value data and be very different to a Data Scientist. The insights in the data depend on the dataset that we select. Each role perspective alters the risk profile that is associated with the data. The knowledge of others is key to different roles across the organisation. This is because the perceived risk changes as the dataset and the role of the person who uses that data changes.

Cyber Security

There are the knowledge-based measures of value, such as intellectual property, innovation, interconnectedness and collaboration. How we measure these are again attributed to the data. Understanding the value of these for an organisation can help to understand the potential security risk that is within an organisation. So, without an understanding of the security risk, how do we value partnerships with other organisations and how sharing data with those partners that we trust can make a difference to security? How do we protect third party data and ensure that we are complying with the licensing regulations to which we agreed? This is why we have standards to adhere to around the world. This is the reason why General Data Protection Regulation (GDPR) was introduced for the EU and many organisations across Asia-Pacific are becoming GDPR compliant. This is also the reason why the UK has FOI (Freedom of Information Act) The Privacy Act and the Environmental information Regulations. This is also the reason why there are many different types of Engineering Standards around the world including the ISO8000 for Enterprise and Master Data Management and 9000 for data quality. The standards from a spatial point of view are from the Open Geospatial Consortium (OGC) the standard is an international not for profit organisation committed to making quality open standards for the global geospatial community. These standards are made through a consensus process and are freely available for anyone to use to improve sharing of the world's geospatial data. Without these standards, data can become disorganised, corrupt, and unruly. This can be a liability. In short, governments and ruling bodies are legislating on this because data matters and the security of that data matters.

When data goes wrong Data is often in the headlines for the wrong reasons. The Cambridge Analytica articles created an undercurrent of concern and mistrust for companies leveraging data. Revelations around election interference for some countries were also a great reminder of how much we need to value data. The use of personal, identifiable data is dangerous when used for other reasons than initially intended. Data can also become outdated quickly, so what the data says today is different to yesterday. Data can certainly become outdated within a day of us changing our minds. Data is powerful; data pieced together can create a picture or perspective of how markets, individuals and organisations are performing. Piecing data together can create a picture of your likes, your dislikes and your preferences. How the data is selected and how it is analysed, can create a story that may or may not be true. Therefore, thinking about data and the context to which others can use it for harm, can make a difference. Reading data can provide insights, which predict an epic story, or an end to a story, we must always be mindful and understand the multiple data sources that may be available to us. This is why it is important to keep prying eyes away from your data, so that the wrong narrative or insight cannot be obtained. Consideration is the key for pre-empting a data breach.

Protecting your data What is the risk and uncertainty of the data that we use and rely on? On a daily basis, we leverage and use data to gain powerful insights and make key business decisions. Ensuring the security around data is at a greater level of comfort than just the security of an application would help to protect this data. An organisation needs to secure the data wherever it resides, especially if it is holding information about others and confidential information. Organisations such as Deloitte can help clients with these challenges. At Deloitte, we have “Our Values at Work”. This outlines our responsibility for our community, our culture and our clients. Our global initiative is to be world class in everything we do and to empower 50 million people by 2030 through access to education, skills and opportunities. We know this is ambitious, but so are we. The goal of being best in class also relates to data – how we select it, analyse it and safeguard it. We want our data and our client’s data to be effectively used, secured and protected. Deloitte wants our clients to value and leverage the data insights that can be obtained whilst ensuring the integrity, safety and confidentiality of the data. This is how we help organisations to discover the opportunities for change, to make decisions, and then deliver solutions. Leveraging data to make automated decisions, about individuals, products, and markets, is a wise move in a data enriched world. Including automated decisions for data security. Data is helping businesses to perform at their best. Using Industry 4.0 tools like Big Data Platforms, IoT and Advanced Analytics, can help to connect vast arrays of slow and fast moving data then predict, forecast and simulate what will happen in the future. All of these tools require integrated security considerations in order to protect and provide value. In conclusion, working together and leading from the heart with your values and your data, an organisation can have securely managed data and achieve a standard across the organisation, whilst allowing decision makers to act quickly. Using data to identify opportunities can enable the insights that are needed to make a dramatic difference to your organisation so long as you protect and value your data. Do you value data like it is the heart of your organisation, rather than using it to run your organisation? Ensure that there is clarity in valuing your data; be ready to reach out for help and assistance when it is required. About the author Sarah James is a Director with a top tier firm's Consulting, Data practice. Sarah has over 20 years’ of experience in data. She has a passion for understanding and solving clients 'problems leveraging the Data to do so. Sarah’s experience enables her to help our clients maturing and transforming into Insight Driven Organizations by developing innovative strategies, roadmaps, clearly articulating business value and leading teams to deliver the best solution. Sarah's mission is to inspire others, to help her clients with new ideas and initiatives, leading them to change/transform in a way that creates innovation and ensuring the data is always considered.

Australian Cyber Security Magazine | 53

Cyber Security

Anonymisation: False assumptions and fallacies in data protection and privacy By Jane Lo Singapore Correspondent

"Data can either be useful or perfectly anonymous but never both." - Paul Ohm, associate professor of law at University of Colorado Law School, in “Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization”.

n today’s world awash with affordable data storage and processing, “Big Data” has emerged as a powerful approach to optimize decision making, with uses across varying fields. One is the health sciences, where complex and highly dimensional health data combined with behavorial and environmental data are transformed into predictions for more effective patient diagnosis. Another is in financial services, where historical analysis of spending patterns are used to uncover anomalies to highlight potential fraudulent transactions. Others include education, marketing, transportation, and even sports. Developments in Big Data innovations inevitably triggers the debate: how to preserve personal data privacy and yet benefit from the data utility? For many, the logical solution is embracing the seemingly reliable “anonymization” process to protect privacy. We expect that removing (or making small changes to) personal data protect our privacy.

54 | Australian Cyber Security Magazine

Personally identifiable information (PII) But advances in technologies mean that the common understanding of “personally identifiable information” (PII) or “personal data”, centering on the obvious such as names, birthdates, easily misses other information not immediately seen as personally identifiable. One example is IP address. Google on its blog, “Are IP addresses personal?” argued that not only these number strings shared in some situations, they are also tied to machines and not humans. Privacy advocates contended that search queries tied to shared IP addresses such as families, or a small office is a privacy threat. Additional online actives such as emailing or e-commerce shopping provide a wealth of information for correlation for the IP addresses. And these correlated pieces of information, which on its own may seem harmless and anonymous, can be linked to an individual. We hear more at the EPIC’s (European Platform for Intelligent Cities) workshop “Privacy Preserving Information Technologies” held in Singapore’s Agency for Science, Technology and Research on 10th Dec 2018.

First, what is anonymization and why is it used? To protect individual’s privacy, data is manipulated to make it difficult to identify individuals. This is the process of anonymization. These are various methods of data manipulation – from removal to replacement to generalization, and cryptography. However, case studies illustrated despite these anonymization attempts, individual identities were exposed.

Cyber Security

Case Study 1. Single out PII • •

•

A government agency in Massachusetts, Group Insurance Commission GIC in the mid-1990s decided to release records summarizing every state employee’s hospital visits to researchers. It assumed it protected patient privacy, by names, address, social security number and other ”explicit identifiers”, but retained ZIP code, birth date, and sex. Latyana Sweeney, professor of computer science purchased the complete voter rolls from the city of Cambridge – a database containing among other things, the name, address, ZIP code, birth date and sex of every voter. Combining this with the GIC records, she found the record of state’s Governor, Bill Weld, including his diagnoses and prescriptions.

Case Study 2. Remove and Replace •

•

In 2006, AOL posted to a website twenty million search queries for 650,000 users of its engine, summarizing three months of activity “to embrace the vision of an open research community”. It assumed it protected privacy by removing obvious identifiers such as username and IP address, and replacing these with unique identification numbers. A user was identified and tracked down through clues attached to a specific identification number, including queries such as “landscapes in Libur, Ga”, several people with a specific last number “Arnold”, and “homes sold in shadow lake subdivision in county Georgia.” AOL CTO resigned.

Case Study 3. Generalize •

•

In 2006, Netflix released 100 million records revealing how nearly a half million of its users rated movies from Dec 1999 to Dec 2005, (date of rating, movie rated and a rating from 1 to 5) to launch the Netflix Prize – awarding the first team that used the data to significantly improve on Netflix’s recommendation algorithm $1 million. Researchers compared the data to Internet Movie Database (IMDb) user ratings and were able to identify two users in both databased. This allowed researchers to learn a more complete profile of each user based on the combined information from both databases. Netflix subsequently settled a class action lawsuit against the company for privacy violations.

And what about hashing? •

•

identified. With some investigation, the researcher managed to infer that the anonymized (alphanumeric code) are derived from the MD5 hashing algorithm. The researcher also noticed that a pattern in the anonymized codes explained by specific static parameters. With these inferences, the research narrowed the number of possible combinations to 23 million. This was computationally feasible for the researcher to reverse engineer, and the anonymized hashes was exposed with the original taxi and medallion numbers.

How have regulations responded? Under the 1995 European Data Protection Directive, data is personal if it can be used to identify someone “directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity." This is expanded to include “location data, an online identifier” in the EU’s GDPR (General Data Protection Regulations) that came into force in 2018. There is also an explicit definition of “pseudonymous” information which “could be attributed to a natural person by the use of additional information” and “should be considered to be information on an identifiable natural person”. These new definitions underscore the constantly expanding nature of PII. IP addresses were not a consideration when the German region of Hesse passed the first privacy law in 1970. Neither were movie ratings when the 1995 European Data Protection Directive was passed. Clearly, where regulations to protect personal data rely on the binary test of PII – the data is a PII or it is not – they afford individuals scant protection against privacy risks as technology develops over time. Undoubtedly, assumptions about how anonymization protect privacy based on PII definitions must be constantly challenged as technology evolves. More significantly, while Quantum Computing is a decade (or more) away from breaking cryptographic hashes and exposing the false assumptions of anonymity, there are some immediate concerns. Studies today point to how statistics can reveal sensitive information, and how sensitive training set data can be reconstructed from machine learning technologies (e.g. facial recognition). Certainly, new technologies (obvious examples are cryptocurrencies and artificial intelligence) have always generated heated debates on appropriate regulatory responses. In this Big Data era, regulators (and innovators) are not alone in facing ethics and accountability dilemmas in the risk-benefit tradeoff.

In 2014, with a Freedom of Information request, a researcher obtained a complete data dump of historical trip and fare logs from NYC taxis. This covered 173 million individual trip records of pickup and dropoff location and time, anonymized licence and medallion numbers (taxi’s unique id number) and other metadata. But the anonymized information was subsequently re-

Australian Cyber Security Magazine | 55

Cyber Security

OT Cybersecurity must improve in 2019

A By Jackie Mazzocato

s my many IT customers get more sophisticated and are improving the identification and response to breaches many manufacturing companies – in particular, small and mid-sized organisations – are increasingly becoming susceptible to cyberattacks. So, why do they need to up their cybersecurity game in 2019? Business advantage: In “The State of Industrial Cybersecurity 2017” report, 54% of companies sampled, experienced an ICS security incident within the past 12 months. 16% of those respondents had three or more security incidents. In numerous cases the manufacturer was accessed via 3rd party vendors, partners and services providers. 55% of those sampled allowed external access directly into their industrial control network. Manufacturers are replacing analogue processes with digital systems which offer increased capability and efficiency. IIoT has exponentially increased the number of connected OT devices and is now requiring a new level of partnership between traditional Information Technology (IT) and Operational Technology (OT) teams to ensure productivity and security coexists. The manufacturing industry has clearly become a

56 | Australian Cyber Security Magazine

target for cybercriminals. Therefore, I am highlighting to my clients in this sector three reasons why they need to take cybersecurity seriously.

1. Operational Disruption Typically, IT is responsible for the systems that control, process and transport data that the business needs to make informed decisions on, growing and managing the business. IT people are generally concerned with the confidentiality, integrity and availability of data (CIA). In the OT world, prioritisation is very different: availability, integrity and confidentiality (AIC). Maintaining production (availability) and quality (integrity) are of prime importance as a loss of production can be very costly in lost revenues, internal resource costs, loss of customers and loss of company reputation. The cost of operational disruption is a significant incentive for manufacturing companies to up their cybersecurity game in 2019. The U.S. National Centre for Manufacturing Sciences estimates that breaches can cost companies anywhere from $1 million to $10 million each. In 2017 we witnessed one of, if not the most,

Cyber Security

The 2017 Global Information Security Workforce states that twothirds of its 20,000 respondents say that they lack the number of cybersecurity professionals that they need to address today’s cyber threat climate. the world and they lost a full day of production with a cost estimated around USD 170 million. That is before the impact on their share price is considered. The WannaCry malware also impacted Boeing and car manufacturers Nissan and Renault. As a manufacturer can you afford for your operations to be down at all? What is the true cost to you of a similar attack? What would be the impact to your business if it had to close for weeks or months to clear up from an attack?

2. Intellectual Property (IP) Theft and Industrial Espionage

devastating cyberattacks in history. It started when Russian hackers known as Sandworm hijacked the update servers of a Ukrainian accounting software company. That server pushed out updates to thousands of computers around the world, giving Sandworm a hidden backdoor from which they released a piece of malware called NotPetya. The headquarters of A.P. Moller-Maersk became one of the first victims. Within two hours, the malware had spread company wide. Employees were sent home and a maritime giant with 76 ports around the globe and 800 ships, was dead in the water. Maersk was not the only company impacted. Pharmaceutical giant Merck & Co.’s manufacturing operations were crippled by a global cyberattack that took out its active pharmaceutical ingredient (API) production and affected its formulation and packaging systems. The attack infiltrated Microsoft systems that were not properly patched. It took control of systems and held them for ransom. It quickly spread across affected networks. Damages topped $300 million in lost sales and other costs. In August last year a variant of WannaCry impacted several computer systems and fabrication tools at Taiwan Semiconductor Manufacturing Co (TSMC) factories in Taiwan. TSMC is one of the largest chip manufacturers in

The theft of proprietary manufacturing data, from processes to bid/sales proposals to trade secrets, is a lucrative business for cybercriminals. That information can be very valuable, as well as tempting to competitors who can then get products to market faster, cheaper, and at a lower price point. According to the Sikich’s 2017 Manufacturing Report, the theft of intellectual property is one of the top reasons for data breaches in manufacturing. Verizon’s “2017 Data Breach Investigations Report” found that 94% of the 620 data breaches within manufacturing were defined as espionage, and much of that was attributed to state sponsored actors. The hackers were more interested in information than in money. A piece of malware can be a “digital spy” to steal plans, processes, even proposals. The manufacturing sector is not only targeted by hackers and cyber-criminals, but also competing countries and companies that engage in corporate espionage. Most entrances into manufacturing companies’ systems begin with a well-crafted spear-phishing email to an employee. When the recipient clicks on a malicious link or attachment, malware is installed on the computer system to give the hacker access. Social engineering, a ploy to trick people into giving up personal information, is another common method of attack. Together, social engineering and malware-based cyberattacks made up 73 percent of last year's data breaches in the manufacturing sector. IP theft and corporate espionage can damage both a business and an economy, resulting in lost revenue and lost jobs. Manufacturing needs to up their cybersecurity game in 2019 to prevent these cyberattacks.

Australian Cyber Security Magazine | 57

Cyber Security

3. The Growing Resource Gap Both the cybersecurity profession and the manufacturing industry are currently suffering from a lack of skilled workers. The 2017 Global Information Security Workforce states that two-thirds of its 20,000 respondents say that they lack the number of cybersecurity professionals that they need to address today’s cyber threat climate. There is a similar skills gap affecting the manufacturing industry. Manufacturers are having difficulty filling open positions due to a lack of qualified and skilled applicants. Computer skills, problem solving skills, technical training and mathematics skills are among the top skills lacking by job applicants. With the convergence of IT and OT, another skills gap has been uncovered: IT security professionals who do not have a full understanding of OT systems, and OT engineers who historically have not focused on cybersecurity. As IT security staff are charged with securing both the corporate office and the manufacturing floor, they need an understanding of how OT systems operate, what can negatively impact them, and how to keep the production line operational and secure. OT engineers, focused on keeping their production lines running, need to understand the impact that a breach can have on both uptime and revenues, and work with IT to make sure their production environments are secure. The creation or adoption of formal training programs are critical, both in IT and OT, as well as cross-training both teams to ensure a tight-knit and highly functional group. Implementing the tools necessary to maximize the limited resources that you have is also critical. Implementing cybersecurity tools that deliver real protection while maintaining the availability and integrity of the production environment is key, minimising the impact on resources with your security solution.

So, how do you up your Cybersecurity Game in 2019? Manufacturing companies must be able to prevent operational disruption, the theft of company IP, and gives your limited resources the tools they need to efficiently deliver security enterprise-wide. Traditional Endpoint Protection solutions, used in an IT back office environment, are highly ineffective on the OT plant floor, as they require updates/patching and often reboots, eat system resources, and have poor zero-day threat prevention in either environment. These solutions require heavy system resources, constant updating, and they cannot work in a self-contained or controlled environment. As a result, they simply cannot stop zero-day attacks – regardless of what their marketing tells you. Installing security products or patching vulnerabilities in legacy operating systems requires taking systems offline, disrupting production and reducing revenues – a nonstarter in any OT environment. Yet the threat introduced by these unpatched systems puts the entire company at risk. As threats continue to expand beyond traditional IT

58 | Australian Cyber Security Magazine

networks, you need visibility into all OT and IT assets so that you can deploy threat prevention where it’s needed. Increased visibility of connected devices and the intelligence of the device security posture will help you manage security risk and keep your production lines running. The only way to address these challenges is to take a different approach. You need a solution that provides complete prevention from file and file-less attacks, known and unknown threats, that does not jeopardise system performance or the production line. The good news for OT is that the new generation of products can give you complete control over what can and cannot run in your OT environment, eliminating the need for emergency updates against zero-day threats and letting you get off the patching merry-go-round and patch at your own planned pace, while reducing risk to your corporate data and reducing load on your taxed resources. The solution you choose needs to deliver attack prevention on OT systems, without having to take the systems or applications out of production, without downtime, without threat of corruption, ensuring continuous operation? My recommendations to clients looking to secure OT are: • A product that protects against file-less or file-based attacks, known and unknown threats in memory, at runtime when applications are most vulnerable. • A solution that has a lightweight protection sensor that runs in the Windows kernel. • A tool that requires no signature updates, behavioural/ AI algorithms, or external connections. • Protection against zero-day attacks without the need for emergency patching. • Provides deep forensics for incident response, and • Centralised operational control through a single console that gives you complete visibility into operating systems and related applications across your OT and IT environment. About the author Jackie is an IT Veteran in Australia, having been involved in the launch of some of Australia’s largest websites including ninemsn, magshop and Ticketek. More recently moving into consultancy, where she has also sourced specialised cybersecurity talent for many Australian and multi-national organisations and projects. In her role as National Sales Director for Logi-Tech Pty Ltd she works with clients to help them determine the products and services that will provide a multi-layered network and software approach to security. She focusses on the supply, install & configuration of a suite of best-in-bred solutions to secure a business. Jackie and the team at Logi-Tech can provide advice on solutions and governance that will protect your OT and IT environments.

ISACA' S S HE L EA DSTECH PR OG R AM SEEK S TO I N C R EAS E T H E R EPR ESEN TATION OF WOME N I N T E C H N O LO GY LEA D ER SHIP R OLES AN D THE T EC H WOR K FOR CE. sh e le a d stec h. isac a.o r g

RAISING AWARENESS We will work to educate employees, allies, and engaged professionals so that we can overcome unconscious bias.

PREPARING TO LEAD Our training and skills development programs will prepare current and upcoming female leaders for the digital future.

BUILDING GLOBAL ALLIANCES Through strategic partnerships, we will amplify our impact beyond the ISACA network and support our chapters as they tackle the unique challenges in their region. Australian Cyber Security Magazine | 59

Cyber Security

The encryption act

I By Nicole Murdoch B Eng (Elect) J.D MIP Principal EAGLEGATE Lawyers Director AISA The views expressed herein are her own and do not reflect the position of AISA.

n late 2018, on the final day of parliament for 2018, the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill passed both houses of Parliament and a mere three days later it received Royal assent and became law. Since that date Australia has been criticised not only due to the mere existence of the law but also based on the scope and operation of that law and the perceived lack of consultation within industry. Letâ&#x20AC;&#x2122;s all take a step back and look at the Assistance and Access Act, how it operates and how it came into existence. Firstly, it must be stated that the Assistance and Access Act (Encryption Act) is not a blanket back door to allow access to law enforcement to access all devices. However, it does provide for a backdoor for some devices. This may be seen as a semantic word game, but it does provide some comfort overall. The act applies to designated communication providers (DCPs) which include carriers, manufacturers of devices, entities that supply electronic services to consumers such as secure messaging applications and entities that provide

60 | Australian Cyber Security Magazine

services or software for use in connection with a carriage service or an electronic service. In short it affects everyone in the chain involved in the manufacture of devices and use of devices over any carriage service. The types of assistance which can be required under the act include removing electronic protections, providing technical information, installing, maintaining, testing or using software or equipment nominated by an agency, notifying an agency of changes to, or developments of, the DCPâ&#x20AC;&#x2122;s service that may be relevant to provide a warrant. The term providing technical information is to be interpreted broadly and could include source code, and all of the material necessary to amend, build and deploy that source code onto devices. Access is also defined to include access subject to a precondition, push technology and a standing request. There are three kinds of requests or notices that can be issued under the act and they are; a technical assistance request, a technical assistance notice or a technical capability notice. A technical assistance request may ask the provider to do things on a voluntary basis,

Cyber Security

'Forcing business with operations outside Australia to comply with TANs or TCNs that violate the laws of other countries in which they operate, will just incentivise criminals to use service providers that never assist Australian authorities or ones that operate underground in jurisdictions unfriendly to Australian interests.' but a technical assistance notice or a technical capability notice can direct acts to be done. A person is not criminally responsible for an offence if the person acts in accordance or compliance with a request or notice under the Act. In addition, DCP and its officers and employees have no civil liability if it acts in compliance with the notices or a technical assistance request. There are limitations to the Act. DCPs are not required to build systematic weaknesses vulnerabilities which will render methods or authentication or encryption ineffective. They also cannot be prevented from rectifying a systematic weakness or vulnerability. Accordingly, it should not be possible under the Act for direction to be given for a blanket backdoor to be built into devices. The Act is not without some teeth and penalties include fines up to $10 million and imprisonment for five or 10 years. One of the other criticisms of the Act was that it was rushed and there was not enough industry consultation. Again, it should be kept in mind that simply because a Bill is rushed does not mean that there is no industry consultation. Bill Shorten is quoted as saying that â&#x20AC;&#x153;There are legitimate concerns about the encryption legislation but I wasnâ&#x20AC;&#x2122;t prepared to walk away from my job and leave matters in a stand-off and expose Australians to increased risk in terms of national security.â&#x20AC;? The Australian Labor Party had pushed 173 amendments to be made to the Bill but it ultimately conceded to allow the Bill to pass unintended on the basis that it would seek to reintroduce the amendments in early 2019. Those amendments are set out in the Supplementary Examination Memorandum and include enhancing existing oversight arrangements, adding reporting requirements, enhancing protections against systematic weakness and vulnerabilities, imposing time limits on technical assistance notices, making activities that may be required by a notice exhaustive and requiring a double lock approval of technical capability notices. The amendments then over 60 pages in total. Given it is widely anticipated that Australia will have a change of government in the upcoming May election it is

debatable whether any of these amendments will be made before that change. The Bill was introduced in September 2018 and provided for a three-stage consultation process. That provided an opportunity for industry, advocacy groups, civil society groups in public to scrutinise and provide comment on the Bill. Submissions were due 12 October, but the Committee was prepared to accept submissions after this date. There were also 5 public hearings. Despite this, the Act was pushed through and that appears to be acknowledged by both sides of Parliament. The belief here is that the threat of terrorism is higher over the Christmas period. However, it is interesting that not a single one of the amendments requested by the ALP was made before the Bill passed. Apple has been a staunch defender of privacy and is widely recognised as refusing to cooperate with US law enforcement agencies when they try to gain access to Apple devices. One of the points Apple raises in justifying its position is that criminals will simply find other means to encrypt their communications. It has stated Forcing business with operations outside Australia to comply with TANs or TCNs that violate the laws of other countries in which they operate, will just incentivise criminals to use service providers that never assist Australian authorities or ones that operate underground in jurisdictions unfriendly to Australian interests. So again, we have the argument that the Act will only affect those who have nothing to hide. The other issue to consider, at a much higher level, is whether a law enforcement agency enforcing its abilities under the Act is any different to a law enforcement agency executing a search warrant on hardcopy documents. Proponents of this argument state that the introduction of the Act simply brings the law into the modern age, allows law enforcement agencies to compete on the same level as subjects. Contra its criticisers state that providing a law enforcement agency the ability to obtain source code, amend it and deploy it allowing ongoing covert surveillance of bad actors is an entirely different thing to executing a search warrant in front of the subject. As to the criticism over the lack of amendments, it should be kept in mind that this is a new Act and new Acts often require amendments as they are enforced and legally tested. Whether the amendments come before May is unknown, but in time, there will be amendments to the Act. Which direction those amendments take us, and in light of the ALPs criticism and demands for 173 changes, will be interesting to watch.

Australian Cyber Security Magazine | 61

Cover Feature

Will Australia’s data protection authorities grow some teeth in 2019?

L By Dr Jodie Siganto and Tom Mackie

ong regarded by many as ‘toothless tigers’, 2019 could see Australian regulators wade more forcefully than before into the regulation and enforcement of privacy and data rights. While most are familiar with the OAIC’s role as Australia’s principle information privacy regulator, the Australian Competition and Consumer Commission (ACCC) looks ready to become increasingly involved in regulating data handling practices across a number of different sectors (as part of its consumer protection role). And regulatory action may flourish with greater political support following the scathing review of regulatory performance from the Banking Royal Commissioner, the MyHealthRecord mess and the ‘success’ of the notifiable data breach scheme.

The ACCC to Enter the Fray – The Consumer Data Right The ACCC looks set to play a crucial role as the ‘lead regulator’ in the establishment and enforcement of a new Consumer Data Right (‘CDR’) for Australia. The CDR will open access to valuable datasets in designated sectors, starting with the banking, energy and telecommunications

62 | Australian Cyber Security Magazine

sectors. Customers will have a right to access ‘consumer data’ and a right to share that data with accredited third parties of their choice. For example, a banking customer could request to transfer their transaction records to a loan comparison service, or a FinTech which provides investment recommendations tailored to the customer’s financial circumstances. The CDR is designed to increase consumers access to and use of their data, as well as making it easier for consumers to switch providers. It also seeks to break down the monopolisation of consumer activity datasets. Rather than incumbents such as the major banks holding exclusive access to their consumer customers’ data, those consumers and third parties (e.g. FinTechs) will be given the opportunity to leverage the analytical value of the shared data for the consumer’s own benefit. The new transferability of data sets will come with some protections. The ACCC will play a critical role in establishing the CDR by conducting sectoral assessments – the assessments will recommend the datasets to be made mandatorily available, the parties required to share the prescribed consumer data, and the parties which may access,

Cyber Security

share and receive that data, among other things. The OAIC will take on an advisory function and will assist the ACCC in considering the privacy consequences of these matters.

CDR Privacy Safeguards Critically, the CDR will also include a set of ‘CDR Privacy Safeguards,’ applicable to CDR data that is transferred in the scheme. Whilst on face value the CDR Privacy Safeguards seem similar to the APPs in the Privacy Act 1988 (Cth), those obligations will be prescribed in the ACCC’s new CDR rules, which will be developed in consultation with the OAIC. The ACCC and OAIC together will enforce compliance with the CDR scheme and CDR Privacy Safeguards according to a ‘multiple regulator model’ with a ‘no wrong door’ approach for handling complaints. Penalty amounts will be capped at $500,000 for individuals and $10 million for corporations. It’s clear that the scope of the changes to be introduced by the CDR are significant. In addition to introducing a new regime of mandatory data sharing, the CDR will effectively create a second stream of privacy obligations, as analysed by us here. It will also expand the range of organisations which must meet privacy obligations, and extend privacy protections to businesses (as well as individuals) who participate in the scheme.

jitters about the introduction of the new scheme and the relatively ambitious roll out timetable. In January 2019, it was announced that the full implementation of the CDR has been postponed to February 2020, with beta testing of the system to commence on 1 July 2019 with the Australian ‘Big Four’ Banks (Commonwealth, NAB, Westpac and ANZ).

The ACCC’s Digital Platforms Inquiry The ACCC has also considered the market power of large platforms such as Google and Facebook in its Digital Platforms Inquiry Preliminary Report, released on 10 December 2018. The Preliminary Report’s coverage has been far-reaching, including the impact of digital platforms on the delivery of news and journalistic content in Australia, as well as on the web-based advertising industry. It has also considered consumer welfare issues, such as the lack of transparency around data handling practices and the potential exploitation of consumers’ personal information by large platforms. The ACCC’s preliminary recommendations include a variety of regulatory reforms. Perhaps most relevantly for data security and privacy practitioners, the recommendations include a number of proposed amendments to the Privacy Act 1988 (Cth). The proposals would provide consumers with greater control over their personal information, and include:

Background to the CDR The CDR was developed following a series of government reviews and inquiries, including most significantly, the Productivity Commission’s report on Data Availability and Use and the Treasury’s Open Banking Review, chaired by Scott Farrell. These two reviews provided recommendations as to the form and scope of the right, as well as the appropriate legislative and regulatory framework to support it. In this regard, the CDR appears to be heavily influenced by the UK Open Banking regime, albeit the Australian proposal applies this approach to other sectors, namely energy and telecommunications.

• •

•

CDR vs EU data portability rights The CDR comes at a time of worldwide legislative innovation in the space of data portability rights, which seek to address emerging problems in the data economy such as the market power of large data collectors, consumer difficulties in switching providers, and a lack of consumer choice. Last year, the EU legislated a data portability right, as part of the suite of rights of data subjects enshrined in the GDPR. The data portability right in the GDPR takes a different approach to the CDR in that it permits individuals to port personal data, rather than consumer data prescribed by the Australian competition regulator. Thus, the CDR and GDPR Data Portability Right differ in objective and scope. The CDR is about fostering competition and provides portability rights for entities that wouldn’t have rights under information privacy law (e.g. SMEs can request their data to be transferred under the CDR). Not unexpectedly it seems that there are some

• •

Strengthening collection notification requirements. Requiring certain businesses to undergo external audits to monitor and publicly demonstrate compliance with these privacy regulations, through the use of a privacy seal or mark (auditors to be certified by the OAIC). Requiring express, opt-in consent that is informed, voluntarily-given, current and specific. Enabling the erasure of personal information where consumers withdraw their consent and the personal information is no longer required to provide the consumer with a service. Increasing penalties for breach of the Privacy Act to at least mirror the penalties for breach of the Australian Consumer Law. Introducing direct rights of action for breaches of the Privacy Act. Increasing resourcing for the OAIC.

The ACCC has also proposed other reforms which would likely affect Australia’s privacy landscape: •

•

The adoption of the Australian Law Reform Commission’s proposal for a statutory cause of action for serious invasions of privacy. That unfair contract terms should be illegal (not just voidable) under the Australian Consumer Law, and that civil pecuniary penalties should apply to their use, to more effectively deter digital platforms, as well as other businesses, from leveraging their bargaining power over consumers by using unfair contract terms in their terms of use or privacy policies.

Australian Cyber Security Magazine | 63

Cyber Security

Clearly, many of the ACCC’s preliminary recommendations concern the regulation of privacy in Australia. This will be a developing issue over 2019 and we shall have to wait to see what is included in ACCC’s final report and whether the Federal Government adopts these recommendations in part, or in full. The government is likely to have a lot of other issues on its plate in 2019 so it’s difficult to see any of these recommendations being implemented any time soon.

A Stronger Role for the OAIC? As we enter the second year of the operation of the Notifiable Data Breaches scheme, reported data breaches are attracting an increasing amount of media attention. This heightened interest plus concerns around the MyHealthRecord system could lead to more public demands for a stronger privacy and data security regulator, and to increased funding and support for greater regulatory intervention by the OAIC. As part of the recent, highly publicised Financial Services Royal Commission, the lacklustre enforcement of regulators, and of ASIC in particular, has been closely scrutinised. Commenting on the Royal Commission’s interim report, Professor Caron Beaton-Wells referring to ASIC, charges it: “… with bending over backwards to negotiate agreed outcomes with offenders. The report states: ‘… ASIC’s starting point appears to have been: How can this be resolved by agreement?’ The starting point should be: Why would it not be in the public interest to bring proceedings to penalise the breach?” The same sort of charges could be levelled against the OAIC. The OAIC has long been criticised for its failure to act, and has struggled with lack of resources and funding. The OAIC has more commonly sought agreed outcomes to investigations and, more recently, looked to enforceable undertakings, rather than pursuing more punitive measures. There is yet to be a case of the OAIC imposing a civil penalty for an interference with privacy, notwithstanding that the Commissioner has had that power since 2014. But, with the ACCC, APRA and ASIC all likely to be taking a more interventionist enforcement approach to address breaches within their regulatory oversight, it seems possible that this might spill over to the OAIC.

Conclusion

•

64 | Australian Cyber Security Magazine

So, for 2019, you might expect: Greater focus on consumer data and the rights of individual to control the way that data is handled, at least in certain sectors, as part of the introduction of the new Consumer Data Right; Increased responsibilities for organisations that hold consumer data including a new set of CDR Privacy Safeguards, to be enforced by the ACCC; Some discussion about further changes to the Privacy Act, including the possibility of the introduction of a right to sue for breach of privacy; and More regulators than ever involved in the protection of data.

With the ACCC stepping into the regulation of consumer data in the banking, energy and telecommunications sectors, as well as signalling a potential intent to take enforcement action in relation to unfair contractual terms governing data handling practices, it would be prudent for practitioners to consider new legal questions in reviewing companies’ consumer and personal data usage. For instance, will you need to make certain datasets readily available for your customers to access, export or transfer? And are your data collection and handling practices fair to the consumer, as expressed in contract and privacy policies? But what else will change? We are not wildly overoptimistic about the likelihood of the introduction of a statutory right to sue for breach of privacy, something which has been up for discussion since at least 2008, has been reviewed and supported by various Law Reform Commissions and is yet to make it into legislation. It will take a government with quite a bit of political capital to get that change through (and political capital has been in short supply lately). Without a private right to sue, the protection of privacy rights and the rights of consumers will continue to rely on the enforcement action of regulators. Will the OAIC and ACCC continue as the toothless tigers we are used to, or, with the winds of the Financial Royal Commission pushing regulators into more action plus some nifty new powers, will they grow some teeth in 2019? It could be an interesting year. About the Authors Tom Mackie is a privacy consultant for Ringrose Siganto. He recently graduated from the University of Queensland (UQ) with an LL.B, and has worked as a research assistant for two years at UQ and QUT focusing on privacy and data protection law.

Cover Feature

Think equal, Build smart, Innovate for change.

Itâ&#x20AC;&#x2122;s my Institute.

International Womenâ&#x20AC;&#x2122;s Day is the global day celebrating the social, economic, cultural and political achievements of women. The day helps promote gender balance within our industry, its teams and leaders. After 45 years the Institute continues to develop knowledge and awareness of contemporary and leading edge security management best practice. Share in your expertise with other peers and develop your networks.

VICTORIAN SECURITY INSTITUTE

International Women's Day March 8 #BalanceforBetter

vsi.org.au APPROVED SECURITY INDUSTRY ORGANISATION

Australian Cyber Security Magazine | 65

Cyber Security

Legal changes required for the cyber security landscape

C By Brenda van Rensburg

ybercrime has increased exponentially over the years. According to Statista, cybercrime contributed to the loss of over 1.4 trillion Dollars in the USA during 2017. That is an increase of over 90% of lost revenue within 15 years. According to Cyber Security Ventures, this loss is expected to increase to $6 Trillion by 2021. That is more than triple to what it is today! Most of these crimes were committed cross international borders, which creates a challenge within the legal system. The current legal system has a number of short comings which is why cybercrime is increasing so rapidly. These short comings would need to change substantially in order to allow the legal and cyber professional to do their job. To understand a little about what the legal system is facing, and what needs to change, we first need to look at some of the constraints placed within our current legal system.

concentration of power to one individual or institution. Common Law, according to the Concise Australian Legal Dictionary, is ‘the unwritten law derived from the traditional law of England as developed by judicial precedents, interpretation, expansion and modification.’ This system follows legal hierarchy which is mostly governed by jurisdiction. It is one of the main reasons why one case from the Federal Court may take precedent over another case in a Magistrates Court. International Law, on the other hand, has two facets. The first is public international law (between States) and private international law (law between private people and companies). Both private and public law comes with complexity, but typically international law, from a domestic point of view, is seen as a secondary source of law. Cybercrime generally falls under international law, which is why it’s is tougher to convict someone for a crime.

A Birds Eye View of our current Legal System

Cybercrime as it is seen today

Before we look at future changes within our legal system, we first need to understand our current system. There are 3 sections of the legal system called Separation of Powers. These 3 sections include legislature (parliament that creates an Act), executive (such police, councils, etc) and judiciary (court system that resolve disputes). This prevents the

Cybercrime is a crime committed through the use of a digital device such as a computer or smartphone. It comprises of a range of offences which include fraud (such phishing to obtain sensitive data), identity theft (mostly obtained through social engineering), sales of illegal and prohibited content (sold via dark web), data theft (inception of data

Cyber Security

like a Man in the Middle Attack), industrial sabotage (such as a DDoS attack), total system control (such as Ransomware), and many more notorious actions that leaves victims helpless, and sometimes penniless. While cyber security professionals may be able to identify and apply counter measures to these problems, the issue lawyers face is applying these crimes itself to definitions which are often void within the legal structure. An example of these challenges would be data theft. The general definition, according to the Criminal Code Compilation Act 1913 (WA), is that property is considered to be stolen if the property is moved without the consent of the owner. If the owner consented to moving data (property) via email, and someone incepts that property, did that ‘someone’ who acquired that property in transit actual cause that data to move initially? Notably, one can apply the Cybercrime Act 2001 (Cth) where it describes modification, access, or impairment. However, the definition can be further argued as to the clarification of each term. What does it mean to access data if data is sent freely? As you can see, there are some legal boundaries facing lawyers when it comes to applying law to the facts of a case!

Restrictions that face the legal industry Ironically, cybercrime does not typically fall within domestic borders of a country. In most cases, the source of the crime itself would have been stemmed from a perpetrator from another country. The offence would have been committed on domestic soil. Thus, convicting a cybercriminal based on domestic law is a challenge. As Tim Kennedy, from Kott Gunning Lawyers. pointed out, cybercrime comes with ‘jurisdictional issues and the issue of co-operation with overseas authorities.’ According to Susan Brenner, ‘cybercrime is not committed “in” the territory of a single sovereign state; instead, “pieces” of the cybercrime occur in territory claimed by several different sovereigns.’ How does one seek justice in a legal system which is shackled by a boundary-based administration?

Globalizing Cyber Law There are 3 changes that the Legal System would need to address in order to reduce the revenue loss facing today’s industry. The first of these would be jurisdiction. Currently, law in each country is bound to the legal structure within that country. Notably, cybercrime, on the most half, falls within international borders, thus international law would apply. However, there are some restrictions within this sector as well. For changes to occur, globalization of law would need to transpire by creating a Global Cyber Law System in which countries can join forces to combat cybercrime. According to the Australian Department of Foreign Affairs and Trade, there is a need for ‘greater harmonisation of cybercrime legislation between countries.’ The next factor would be to create Global Cyber Legislation which countries can adopt. The United Nations Conference on Trade and Development stated that more than 30 countries do not have cyber legislation in place. This legislation will need to cover definitions facing todays

'Although Australia has a Cybercrime Act, it lacks a number of definitions which include cyber bullying, ransomware and a DDos attack. It does, however, cover basic description which could notably be argued in a court of law.' Cyber industry, together with penalties for those offence. Although Australia has a Cybercrime Act, it lacks a number of definitions which include cyber bullying, ransomware and a DDos attack. It does, however, cover basic description which could notably be argued in a court of law. Creating up to date global definitions of cybercrime could make it easier to align specific cybercrime to legislation which brings us to the last factor – application of the law. Once legislation and jurisdiction has be globalized, there would need to be a system in which allows lawyers to follow. The legal system, as we know it today, has been established so that one entity does not have the power to make and enforce law. Globalization of cyber law will need to include separation of power, a framework which should include common law (derived from court rulings), international executive committee (such as cyber police) and international legislative council (similar to that of parliament). All three of these powers should include members from different countries with specific training requirements for each sector. According to the International Telecommunication Union (ITU), the ITU Secretary General launched the Cyber Security Agenda in 2007 which is an international dialogue between countries about the growing concerns of cybercrime. Notably, a framework that is already in place to establish a Globalized Cyber Law Division that works in harmony to combat the rise of cybercrime globally. About the Author: Brenda is the head of cyber security for Terrene Global, leading the company’s programs across information and operational technology environments. Brenda is also an experience company director and founder of cyber management consulting group, Terrene Global, specializing in governance, strategy, risk, and resilience from business, technology and law perspective. As a company director, and executive manager, Brenda has more than 15 years’ experience serving on boards of private organizations, and global business operations including strategy and business development. Brenda’s experience spans a broad spectrum of industries giving her an in-depth knowledge of corporate governance, enterprise risk management, organization resilience, cyber security and information technology strategy. Brenda has lived and worked in numerous countries such as USA, South Africa, New Zealand and Australia. Leveraging this experience, she has a broad scope of organizational culture and cyber security, building cyber literacy and resilience across organizations.

Australian Cyber Security Magazine | 67

Cover Feature

Zero trust security

A step in the right direction for cyber hardening

T By Annu Singh

raditional security focused mainly on external threats, working on the assumption that internal actors are trustworthy and mean no harm – this was sometimes referred to as the castle and moat model since effort was mostly expended on counter intrusion – i.e. keeping the bad guys out. The disadvantage of this model is that once an attacker has gained access, they have full control of the systems, without any further hindrance. With cloud computing, data is dispersed and distributed across the infrastructure, limiting the efficiency of this perimeter-centric security approach. Zero trust security systems recognise that threats can be from anyone, including insiders. Zero trust treats both internal and external actors the same and continuously evaluates person or system behaviour and actions, identifying and eliminating potential threats. In zero trust, a risk score is calculated, based on the evaluation of several parameters of defined legitimate/sanctioned factors of an individual’s behaviour. These parameters range from basics like a user’s physical location, an IP address, authorisation and permissions to advanced clearances etc. If the risk score exceeds the approved threshold, the actor is locked out of the network, or required to undertake additional checks (such as a second factor of authentication or one-time password).

68 | Australian Cyber Security Magazine

Zero trust systems are based on 4 key principles, as follows: 1. Never Trust, Always Verify: Attackers can be both internal or external to the network, no users or machines should, by default, be given access. 2. Need to know basis: Users should be given the minimum access privileges i.e. Only on what they need to know to minimise the threat and risk exposure to the network. 3. Micro-segmentation: In micro-segmentation, the security parameter is broken into smaller zones, to control authorisation and access to these zones. A user may have access to only a specific zone and not the entire network. 4. Multifactor authentication (MFA): In addition to password, MFA requires additional information to authenticate the user to gain access. The most common form of MFA is two factor authorisation (2FA) in addition to passwords, users who enable 2FA for the authorised services must also enter a code, which is sent to another device, such as a mobile phone, thus providing two pieces of evidence to authenticate their identity and authorisation.

Cyber Security

Zero trust is not limited to user access control only. Zero trust systems also closely monitor all devices that connect to the network and ensure their authorisation, thus minimising the attack surface.

resources based on business-relevant attributes, like the specific application and individual functions being used, user and group identity, and the specific types or pieces of data being accessed (e.g. credit card or social security numbers).

Inside Aero Trust Security Architectures Zero trust security was a term coined in 2010 by Forrester, who defined this security model as a network segmentation gateway and “micro core and perimeter” (MCAP), supported by centralised management. The main components of zero trust security are the zero-trust segmentation platform, trust zones and associated management infrastructure. The Zero Trust Segmentation Platform is a collection of multiple distinct and distributed security technologies, that operate to provide a comprehensive threat protection framework. The Zero Trust Segmentation Platform defines internal trust boundaries and provides the security functionality needed to deliver on the zero trust operational objectives — including the ability to enable secure network access, granularly control traffic flow to/from resources, and continuously monitor allowed sessions for signs of threat activity. Trust Zones are distinct pockets of infrastructure, where the member resources operate at the same trust level and share similar functionality, such as protocols and types of transactions. An example of trust zones includes the user zone, a wireless zone for guest access, a cardholder data zone, database and application zones for multi-tier services, and a zone for public-facing web applications. Management Infrastructures that allow ongoing monitoring, data analysis, giving timely insight to further enhance network visibility, detect unknown threats, or support compliance reporting, is essential to support Zero Trust Segmentation Platform for this to be successful. According to Cybersecurity ventures research, cybercrime will cost $6 trillion by 2021, up from $3 trillion in 2015. The world will need to cyber protect 300 billion passwords globally by 2020. The world’s digital content is expected to grow from 4 billion terabytes (4 zettabytes) last year to 96 zettabytes by 2020. Global spending on cybersecurity will exceed $1 trillion cumulatively, between 2017 to 2020, according to Cybersecurity Ventures. While building cyber security solutions IT security managers and architects need to consider both governance and technology aspects, to select and build a zero-trust network platform. Forrester’s Research white paper on zero trust security architecture highlights a few key points to consider, as summarised below • Implement well defined policies based on application, user, content device and device state, to determine which users and devices can access sensitive applications. • Identify application ID technology that accurately identifies and classifies all traffic, regardless of ports and protocols, evasive tactics such as port hopping, or encryption. • Build a least privileges access control model based on a combination of App-ID, User-ID and Content-ID that allows organisations to control interactions with

Organisations can move to a zero-trust security model through a non-disruptive, progressive approach, leveraging their current capabilities and building on them incrementally. Zero trust implementation needs strong network controls that segment and isolate data and resources. The modern network is a combination of onpremises, web and cloud-based systems, and protections need to be seamless. Zero Trust Workload principles should be able to protect front-end and back-end systems that drive your daily business operations. An effective zero trust security strategy must vet every device (both managed and unmanaged endpoints: mobile devices, tablets, and the like, as well as IoT devices) that touches the ecosystem and ensure it is trustworthy; grant access; and then isolate, secure, and always control every device touching the network. A good zero trust security solution suite should include – Cloud Workload Protection, Web Application Firewall, Cloud Access Security Broker, Control Compliance Suite, Validation and ID Protection (VIP) email and web gateway solutions, security and behavior analytics, end-point detection and response capabilities. Once the Organisations have assessed and analysed all transactions that flow throughout their network, including where, when and to what extent specific users are using specific applications and data resources IT security managers and management can make an informed decision to incrementally deploy devices in appropriate locations, to establish internal trust boundaries for identified trust zones, and configure the appropriate enforcement and inspection policies, to effectively put each trust boundary “online.” This can minimise the potential impact on IT operations and spread the required investment and work effort over time. To start with four areas to review for implementing trust zones are - payment card industry (PCI) & financial data; personal healthcare information (PHI); personally, identifiable information (PII); and intellectual property (IP). Transition to zero trust security provides organisations with situation awareness to all their computing activities. Through strict enforcement of a least-privileged access control policy, businesses can reduce the attack surface and harden their organisation’s security posture. Every 40 seconds a business falls victim to a ransomware attack. Cybersecurity Ventures predicts that will rise to every 14 seconds this year. The FBI estimates that the total amount of ransom payments approaches $1 billion annually. Sponsored by IBM Security and conducted by Ponemon Institute, the 2018 cost of a Data Breach Study found that the average cost of a data breach globally is $3.86 million, that is a 6.4 percent increase from the 2017 report. Organisations can no longer afford to look at zero trust as a band aid solution. The immediate need is to pursue zero trust as an ongoing effort, and include it as part of digital transformation strategy, to build cyber resilience and protect the castle from internal or external threats.

Australian Cyber Security Magazine | 69

Cover Feature

Monitoring threat actors A concerted effort to understand your adversary improves your cybersecurity posture

T By Maryam Jafari Lafti Ph.D.

and Jamie Lee MacDonald

he underground cyber-criminal economy is a mature and complex ecosystem with threat actors constantly adapting and innovating their strategies in order to profit. The market for cybercrime-enabling tools, services and jobs continues to expand and is increasingly accessible. This has significantly reduced the barrier of entry for individuals with lesser technical skills and those who are willing to assist in the execution of cyber-attacks, thus creating revenue-generating opportunities for the many players involved. Underground marketplaces provide an array of offerings, including hosted attack infrastructure, malware and exploits, and various types of cyberattacks, as a service. Highly capable malware developers demand a premium for their wares, followed by resource and infrastructureintensive offerings, such as dedicated fast flux bulletproof hosting and sophisticated proxy services, which enable broader cyber-attack campaigns. Additionally, these marketplaces encompass a flourishing job market, with recruiters and job seekers offering functions that span a range of skillsets and pay. Higher risk jobs and those requiring advanced skillsets demand a higher pay, while unskilled jobs pay less. Examples of jobs on the unskilled end of the spectrum include CAPTCHA solvers and local advertising for cybercrime group channels on secure instant messaging services such as Telegram. On the other end of the spectrum, insiders at major financial institutions who can aid in planting malware on banking systems, stealing sensitive financial data, or committing and covering up fraudulent acts, demand a hefty sum for their services. The underground economy is a varied but

70 | Australian Cyber Security Magazine

interconnected ecosystem, operating based on the foundational principle of supply and demand, but also influenced by developments in the environment in which it exists. Criminal tools and services only remain popular while they are profitable or useful, but disappear otherwise. A more effective competitor, change in threat actor preferences, or security controls, which renders the tools or services obsolete, will have a dramatic impact on the market. Understanding the dynamics of this economy is pivotal to developing sound cybersecurity strategies that not only protect organisations, but also contribute to disruptive influences on cybercrime operations. The complex nature of the underground economy and gaps in visibility into its operations present obstacles to constructing a macro-economic analysis of cyber-criminal enterprises. This has often led researchers to focus on a micro-economic perspective, highlighting the price of individual cyber-attack offerings and estimation of potential profits for threat actor(s) made by enabling or partaking in attack campaigns. To gain a better understanding of prevalent economic relationships, we set out to investigate cybercriminal activities through a business lens. Our research sought to compile information about the mostcommonly used tools and services sold, their average cost, and the combination of components required to operate real world cybercrime enterprises. Based on this information, we were able to examine and compare these enterprises to determine which are the most affordable â&#x20AC;&#x201D; both from a cost of entry and routine operations standpoint. Finally, we overlayed the extracted insights with observed threat activity trends to draw a clearer picture of the common business models adopted by threat actor(s) and

Cyber Security

Low estimate

High estimate

the interplay between the underground market dynamics and developments in the threat landscape. The chart below captures the estimated monthly operating cost of a number of common criminal enterprises we analysed.

Criminal Enterprise Operation Cost The cost estimations take into account the considerable variations in the pricing of components leveraged. Unsurprisingly, campaigns based on sophisticated multipayload malware are among the costliest, while common phish kit-based credential harvesting is among the simpler and less costly enterprises to develop and operate. Though our estimations showed that the monthly cost of operating such campaigns could start well under $100, the resulting impact on targeted organisations is often in orders of magnitude higher and more difficult to estimate accurately. To illustrate an example of the cost estimation process, let’s consider account shops; a commonly-advertised offering across criminal markets and forums, where compromised account credentials are sold. Threat actors typically harvest credentials via account checkers, info stealing malware, or phishing campaigns. These tools are then paired with appropriate communication methods, such as proxies to hide the origin of web-hosted account checker traffic or botnets to be used with info-stealing malware in broader campaigns. By considering these viable combinations and the observed prices of the common components, the estimated monthly operating cost of an account shop could run between $68 and $3025, with an average estimate cost of $1311. Our research highlighted the intricate interdependency within the underground economy, where cybercriminals often integrate a variety of tools and services to achieve their objectives. The accessibility of these offerings means that a threat actor who may have been unable to perform advanced tasks or run cyberattack operations on their own, can simply purchase or collaborate with others to acquire the necessary capabilities they need. These interdependencies also mean that the removal or disruption of cornerstone offerings can have a significant impact on the ecosystem as a whole. An example of this effect was observed when the disappearance of exploit kit market leaders in combination

Overall average

with a brief hiatus from the Necurs spam botnet in 2016, lead to the exploration of low-cost malware distribution alternatives. It is believed that this change within the ecosystem created a large uptick in the use of RDP brute force as an attack vector for malware distribution. Our observations demonstrated that threat actors often follow one of three business models, one being the offering of low cost but widely employed tools or services at a large scale. The second being a threat actor seeking out more specialised services, that are offered at a higher cost and are only available to select clientele. Finally, in the third model an innovative and specialised service with few – if any – viable alternatives are designed to operate at scale. These services and tools have a large customer base, but can simultaneously demand the highest prices by “cornering” the market niche which they have developed. All models drive forward the principle of supply and demand and depict an efficient underground economy that is able to diversify. This diversification mimics approaches in legitimate markets where businesses focus their production to a limited scope of products or services to achieve production efficiencies, increase quality and reduce cost. The observed dynamics highlight the criticality of weaving insights gleaned from changes in tactics employed by threat actors, into the foundational driving elements of an evolving threat management program. A common pitfall that still plagues many security operations teams is a heavy focus on tactical indicators of compromise that can be easily changed by threat actors, with very little effort, thus hindering the defenders’ ability to detect and respond to threats in a timely manner. The insights gained through our research illustrate the need to focus on monitoring the threat landscape based on prioritised intelligence requirements, derived from an in-depth understanding of the organisation’s risks. Observed tactics, techniques, and procedures leveraged by threat actors must be translated into well-defined use cases to more effectively detect and prevent malicious activity, compared to short-lived atomic indicators. A concerted effort to track and actively protect against threat actors’ evolving strategies can have a direct impact on the underground market by forcing them to reinvent their operations, which often requires a significant amount of time, effort and resources.

Australian Cyber Security Magazine | 71

Cyber Security

The wrong hands: Biometric data and Its potential for misuse

I By Katherine Robertson

n 1865, British Parliament imposed a draconian Act, restricting all locomotive vehicles to a top speed of 2 mph in urban areas. The “Red Flag” Act was brought about by lobbyists from the railroad and stagecoach industries, in an attempt to reduce competition from the newer, and much faster, automobile industry. The fear of emerging technology is nothing new, and neither are misguided attempts to control technology that has immense potential, but is not fully understood by the general populace. While a concern regarding the potential power of a new technology is prudent, it is important that concern is focussed on legitimate issues. Biometric technology is now a ubiquitous form of access restriction, used for everything from securing government facilities to locking a mobile phone. The general populace focuses their concern on government control of their personal information, and vague datahandling concepts such as “big brother” and “big data”. But

72 | Australian Cyber Security Magazine

they will unthinkingly allow an unsecure device such as a phone to capture their biometric information with no regard as to where that information is being stored or how is can be used against them.

Captured For Life Biometric technology is based around measurements of a user’s physical or behavioural characteristics. Other access technologies are based around an object a person has, such as a swipe card or ticket, or something they know, such a PIN, or password. Whereas a swipe card can be reissued and a PIN can be changed, biometric data can almost never be altered for the duration of a person’s life. Once an adversary captures a person’s biometric information, it cannot be deleted or changed by the victim in order to resecure their data. The most common use of biometrics for the majority

Cyber Security

Examination of blood vessels in the eye is so effective as a diagnosis tool, tests are being conducted to determine whether it can be used to determine whether a subject is likely to have a major cardiac event, with some success. How can biometric data be retrieved from the device? Can it be hacked remotely? Can it be used on other types of fingertip scanners to gain access elsewhere? In 2013, Apple applied for a patent to make their customers’ biometric data accessible via the cloud. This was apparently to reduce enrolment time across a number of devices. But making this biometric data available to anyone capable of logging onto a given account not only presents them with the ability to use a person’s irreplaceable biometric data, but also gives them the potential ability to add another person’s biometric data to the account to access a device.

Inaccuracy in Access

of people is the fingertip scanner on their mobile phone. These scanners can read the user’s fingerprint, finger veins, or a hybrid of the two. Fingerprint scanners can further be broken down into data collection methods: optical, capacitive and ultrasonic systems are all available. The scanner then uses algorithms to extract relevant data from the image, and measures these key features against the user’s original enrolled data to ensure they match. Different types of scanners have variable success at accurate scanning, and some are easier than others to fool. But little to no thought is given by most users to the technology while entering biometric data into their new phone for use as an access mechanism. Ironically, their primary concern is to secure their data. While this access system operates without issue in the majority of cases, the implications of potentially making this information available to third parties should be considered. Is biometric data accessible by the carrier network, or phone manufacturer?

Fingerprint scanners are one of the most reliable biometric systems developed, but they have lower accuracy rates than iris scanners, and are less secure than retinal scanners. The system used in a given security scenario depends on a number of variables including the hardware available, the expense, and the level of social acceptability, that is, whether people are willing to use it. These requirements can override the consideration of the fail rates of various technologies. Two types of verification errors can occur when accessing biometric data. Firstly, a false match, or false accept error, which occurs when a system declares two different sets of data to be from the same person. If this error rate is too high, people with similar biologic measurements can be accepted to access one another’s systems. This error can also occur if an attempt is made by an adversary using a spoofing device, such an image of a person’s fingerprint. The second is a false non-match, or false reject error. This occurs when a biometric measurement does not match the enrolled data of the user. This can result a user being unable to access their own systems. While a false nonmatch is usually only an inconvenience, a false match allows unauthorised access to information, with the potential for more serious consequences.

Privacy Concerns As a biometric is a bodily measurement, the data gathered can reveal more information about a person than is intended. A retinal scan is an internal examination; it scans the blood vessels on the back of the eye. Retinal scans

Australian Cyber Security Magazine | 73

Cyber Security

are also used as a diagnostic tool to identify glaucoma, and diabetes-related eye disorders. Examination of blood vessels in the eye is so effective as a diagnosis tool, tests are being conducted to determine whether it can be used to determine whether a subject is likely to have a major cardiac event, with some success. Retinal scans can also provide information about a subject’s age, blood pressure and smoking habits. Fingerprint scans can reveal information about some chromosomal diseases. Behavioural measurements such as gait recognition and signature recognition can also identify physical defects or neurological disease. This form of privacy violation is known as “identification beyond purpose”. Biometrics are also a concern for other privacyrelated reasons: people can potentially be identified who do not wish to be, or without their knowledge. These last two are especially prevalent concerns with the use of facial recognition technology becoming more widespread.

Trust Issues Trust is a major factor in the examination of the use of biometrics. Providing biometric information, voluntarily or involuntarily, is a proclamation of identity. A user must provide their personal information and be accepted within a system before they can proceed any further. Biometric systems often require the cooperation of the user, who must submit to their data being collected and stored. Biometric systems are not just a form of access control; they give an automated system the responsibility of identifying system users, and accessing further information associated with the user’s biometric profile. It has be trusted that biometric data will be used ethically; not only must a system ensure that adversaries do not access the biometric data itself, for fraudulent purposes, it must also prevent associated information about a user from being accessed.

Social Acknowledgement One of the requirements to be considered of a specific biometric system is its level of social acceptance. Users must trust that their data is being used accurately and ethically, but they also must be willing to submit to a physical examination. Some form of biometrics require physical contact with a machine, and, in the case of vascular biometrics, an internal examination can be required. Whether users are comfortable submitting to such an examination must be considered. The system used must also be accepted for its technology. People have a long history of being reluctant to uptake new technology. While this is traditionally seen in older generations, the rapid advancements in digital technology are currently experiencing backlash from younger generations trying to keep up. People are also sceptical of governmental use of their data, and how biometrics can be incorporated into this. Facial recognition is increasingly being used in public areas without the knowledge or permission of the general public. This form of involuntary identification can assist a governing body with compiling further information about individuals, and with no knowledge of what that

74 | Australian Cyber Security Magazine

information may be or how it is to be used, the general public can be reluctant to embrace the technology.

Targeted Concern While an awareness of a government’s acquisition and use of personal data is politic and sensible, it is important for users of technology to understand what information they are choosing to provide, where their information is going, and the far-reaching implications of this information becoming available to others. People are more comfortable accepting “voluntary” risks: life-threatening risks that they bring upon themselves, such as smoking, or drink-driving, than they are putting themselves in much less riskier situations that are out of their control. This phenomenon also seems to apply to risks regarding data management: people have a general dissatisfaction regarding government data collection, but are happy to hand over information of their own volition. Biometric technology is constantly improving and is become more prevalent in modern society, especially within the realm of facial recognition. An awareness of the potential for harm across all uses of biometrics is important for the security of personal data.

NSW cyber security Two years in review

ince establishment in March 2017, the office of the GCISO has been focussed on laying all the foundational pieces to support a coordinated NSW government response to any cyber threat Because it is rare for serious cyber threats to be limited specifically to one organisation, coordination is the key pre-requisite to effective cyber security. Cyber security conducted in a siloed, agency by agency manner only increases the problem because the opportunity is lost for others to quickly pre-empt and avoid emerging threats. With great support from agencies, we have achieved a lot in a short space of time to make sure that we are addressing the increasing risks to our systems and information, especially in the following areas: Governance: a deputy secretary-level body of cyber risk “owners” from all clusters, the Cyber Security Senior Officers’ Group has operated alongside the existing technology governance group, the ICT and Digital Leadership Group. In addition, to ensure we have the best advice from outside government, we also set up a Cyber Security Advisory Council. Operational support & coordination: an operations team to help agencies with threat email advisories and support in managing incidents when they happen. Budget: $20 million over four years to fund the central whole-of-government cyber security function to better coordinate and improve existing activities across NSW Government agencies. Cyber Security Strategy: launched in September 2018 the NSW Cyber Security Strategyoutlines our risk-based approach with an action plan for future initiatives on a wide range of areas including training and awareness, cyber skills and career pathways. Cyber Security Policy: We have developed a new Cyber Security Policy which replaces the Digital Information Security Policy. This has recently been approved and will be made public shortly – watch for a blog on this topic soon. Whole of Government response arrangements: approved Whole of Government incident response plans are in place including those dealing with emergencies. Response exercises: Of course there’s no point in having response plans if no one knows about them. These plans need to be second nature so that everyone knows what they need to do if things go wrong. So another major initiative has been our Cyber Incident Response Exercises – we have done four so far. These involved running through a fictitious scenario to test how staff and executive management respond. We are using the results of these exercises to clarify roles and responsibilities of all staff in the public sector. This is very important in building our cyber

resilience and preparedness. Procurement: better value by purchasing services for whole of government that would be prohibitive if every agency did them separately. As part of this work, we contracted a service (known as DMARC) to protect Government websites from spoofing. We are also making sure that as procurement takes place, the right questions are asked and the right terms are applied in contracts. We will talk more about this in future too. Cyber risk assessment: commissioned a ‘Passive Security Assessment’ which scanned the total of 3,257 unique web domains and subdomains used by NSW Government agencies and provided useful vulnerability information to many agencies. NSW is a digital transformation leader, and we are making sure that as we transform, we also keep our eyes firmly fixed on securing the information and services for which we are responsible.

By Maria Milosavljevic formerly NSW Government Chief Information Security Officer

Extracted with permission from the GCISO’s Blog – available at www.digital.nsw.gov.au/blog www.digital.nsw.gov.au/article/nsw-cyber-security-twoyears-review

Events, Courses, Education, Publications, Software, Merchandise

FOR SECURITY AND TECHNOLOGY PROFESSIONALS www.mysecuritymarketplace.com

E TUN IN ! NOW

www.australiancybersecuritymagazine.com.au

PODCAST #WomeninCyber EPISODES

Highlighting our #WomeninSecurity and #WomeninCyber Podcasts! Episode 28 – Australia’s eSafety Commissioner, Julie Inman-Grant discussing online safety, cyber bullying and child exploitation

as well as cyber crime and the need to educate Australians in a digitally ubiquitous world. We also talk about building the Australian cyber security industry and making it an international export powerhouse, as well as the upcoming mandatory data breach notification laws, which comes into effect in February 2018.

Julie Inman-Grant, the Australian eSafety Commissioner at the Office of the eSafety Commissioner, speaks with Chris Cubbage at the Women in Cyber Mentoring Event in Sydney. Julie discusses her role and her focus on online safety, preventing cyber bullying, and child exploitation, and how her 17 years formerly at Microsoft, as well as Adobe, and Twitter, assist her in her role as the Commissioner of eSafety.

Episode 14 - Cyber-attack Response & Business Continuity - with RMIA 2017 'Risk Consultant of the Year' Rinske Geerlings of ‘Business As Usual’

Chris and Julie also discuss the three pillars within eSafety of safety, security, and privacy and their inter-connectedness and priorities, and how parenting and education are still the two major lines of cyber-defence.

In this interview, Chris Cubbage interviews Rinske Geerlings of ‘Business As Usual’, and discuss business continuity plans, or BCPs, preparing for cyber attack related incidents, the formation of crisis management teams for organisations, and the Business Continuity Standard, ISO 22301.

Episode 57 – Speed dating for cybersecurity jobs’ Interview with Liz Jakubowski, Director & Founder of Ribit. net, a Data61 initiative In this interview, Chris Cubbage talks to Liz Jakubowski, Director and Founder of Ribit. net, a Data61 initiative, within the CSIRO, and working with AustCyber, speaking at a ‘speed dating for jobs’ event at the Australian Cyber Security Centre Conference, in Canberra. Liz discusses her organisation’s goal for matching talent start-ups, big business, and government, through an algorithm, which takes into consideration students’ hard and soft skills.

Episode 2 – Interview with Bonnie Butlin, creator of the Women in Security and Resilience Alliance (WISECRA) This interview cover's Bonnie's diverse background, global Women in Security initiatives and the changing nature of societal trust around data, privacy and security. The Security Partners’ Forum (SPF), the first-of-its-kind agile international network of security professionals, bridging all domains and disciplines of security. Under the SPF banner Bonnie created the Women in Security and Resilience Alliance (WISECRA which engages a growing network of women in security and resilience associations/ groups globally, and the Canadian Cybersecurity Alliance (CCA). Since 2013 Bonnie has received no less than 8 international awards and accolades related to security and resilience including most recently being named to the highly prestigious list of Canadian Who’s Who for 2017.

Episode 10 - #WomeninCyber Mentoring with Sandra Ragg, Erica Hardinge, Michelle Price & Megan Haas You’ll hear from Sandra Ragg, Head of the Office of the Prime Minister’s Cyber Security Special Advisor Lead Cyber Resilience Taskforce, Erica Hardinge, Head of Security Enablement at ANZ Bank, Michelle Price, Chief Operating Officer at AustCyber, and Megan Haas, Partner, Cyber Security and Forensic Services at PwC, which was where the event was held.

Rinske highlights that cyber attacks aren’t simply about disaster recovery, where the damage has been caused but has ceased, but rather a situation where victim organisations are not even sure which systems they can safely use, due to continued infection or attack. Rinske highlights that cyber attacks aren’t only about IT downtime, but also Social Media Marketing and Communications, regarding the public response to customers, suppliers and other stakeholders.

Episode 63 – SPECIAL EDITION - Women in Cyber Panel, Australian Cyber Security Centre Conference #2018ACSC Recorded before a live audience at the Australian Cyber Security Centre Conference, Canberra, 12 April, 2018 this is an in-depth and highly informative panel discussion on Women in Cyber Security. Chaired by Amy Roberts (Department of Home Affairs) and discussion with Professor Elanor Huntington (Australian National University), Mike Burgess (Australian Signals Directorate), Dr Maria Milosavljevic (NSW CISO), Debbie Platz AC (Australian Federal Police) and Stephanie Robertson (US National Security Agency)

Episode 30 – CISO Insights – Narelle Devine, Chief Information Security Officer - Australian Department of Human Services Narelle Devine, Chief Information Security Officer for the Department of Human Services discusses the difficulty in going out to market to find talent in cyber security, and how it takes ‘all sorts’ with a broad experience to build a strong cyber security team. The interview also discuss her role as a CISO and the importance of developing a peer-to-peer network to generate solutions and collaborate on ideas. Recorded at the Commonwealth Bank, Sydney, hosting Day 1 of the Women in Cyber Experience, November 28, 2017. #WICME In this interview you’ll hear cyber security vendors working together to collectively, systemically disrupting the ‘bad guys’.

The four talk about the need to increase diversity, both with respect to gender and thinking, cyber career pathways that aren’t necessarily starting from an IT background,

www.australiancybersecuritymagazine.com.au

Cyber Security

Cyber risk management in finance Technology risk management in the digital era for financial sector organisations

T By Ridhi Garg Director Technology and Digital Risk,

he technology landscape within the Financial Services Industry (FSI) has widespread issues of fragmented and legacy architecture, business managed IT and inconsistent controls implementation. As technology transforms banking and insurance and shifts the risk landscape, organisations will need to develop a new approach to IT risk management that is pragmatic and linked with strategic business objectives. Some of the drivers for these changes include: • Emerging technologies driving innovation: The emergence of new technologies, as well as increased collaboration across the industry and between regulators, is driving innovation like never before. • Digitisation and inter-connections: For the majority of the last two decades, most financial services firms have been creating and distributing end-to-end products and solutions without the need to communicate and connect digitally (specifically in the device-driven world). The sector has now realised the value of data and how it helps to provide the right solutions to customers. • Increased regulatory scrutiny: As the financial stability of firms becomes increasingly linked to technology, regulators are now taking more interest in the effect of technology transformation on business. Recent regulations like CPS234 and cloud guidance from APRA

78 | Australian Cyber Security Magazine

•

and Financial Services Royal Commission, exemplify the active role that regulators are playing in the space of information security and risk management. Cost focus at the top of the corporate priority list: There is a constant focus on assessing the value delivered by current approaches to IT risk management. The question is asked periodically whether the proposed investment from risk functions relates to business-as-usual capabilities, or the funding of large-scale control remediation programmes. This means IT risk functions must constantly align their approach to remain valid, current and useful in managing organisational risk posture.

Information technology has played the role of an “Enabler” until early 2000, when they were only required to provide platforms and systems for businesses to store, process and protect their data. The need for reliance on an IT risk management framework started to increase, as the firms increased their interactions and dependencies with the external world, over the internet. This gradually led to the emergence of stand-alone IT risk functions during 20002015, due to an increased focus from regulators around risk management practices. In the last few years, with the boom of cloud computing,

Cyber Security

we have seen the volume and nature of controls evolve, ranging from traditional general computer controls, to configurable automated controls, owned outside of the technology function in a centralised and specialised controls team. In the future, we expect Robotic Process Automation (RPA) software to become fully embedded, allowing robots to perform the operation of core controls and 24-hour continuous monitoring, largely without human intervention.

•

What does this mean for IT risk functions? Whilst technology was initially an enabler to the business, it is now a key differentiator in terms of cost, speed, innovation and customer experience. As banking and insurance technology becomes more efficient and more automated, the eco-system in which firms operate will grow vastly more complex. The IT risk function will need to take the lead in driving a co-ordinated approach to dealing with some of the following key risks emerging, because of these advances: • Organisational: The need for technology management roles may outpace the speed at which the risk professionals are trained and upskilled. It is also expected that the cultural shift to automation may negatively impact employee morale, in some instances. • Audit and assurance: Poorly written algorithms may lead to non-compliance with regulatory requirements and adversely impact achievement of business outcomes. Agile ways of delivery need a different mindset to perform traditional audits and prevent oversight. • Technology: Routine IT platform changes may impact automation solutions if they are not aligned with each other. • Operational: Increased processing errors caused by poorly designed automation solutions or automation of complex processes, which may also lead to increased operational inefficiencies, due to a lack of effective oversight procedures, change management processes and standards. Digital transformations and adoption of agile delivery techniques require new approaches to traditional areas like audit, compliance, brand and reputation management, and approaches to new areas such as cyber and algorithmic risk. The organisations need to adopt an integrated framework to manage the risks associated with emerging technologies, while increasing ROI and protecting value. There needs to be an enhanced focus to plan and align a governance structure to enable digital transformation. This needs to be supported by the right organisation processes, controls and policies that will allow for rapid transformation, while controlling associated risks. Some of the strategies that the technology risk leaders can consider adopting, whilst dealing with these digitisation changes include: • Re-assess the new threat landscape in a connected world: The threat landscape is evolving and changing at a rapid pace. Aspects like a connected world through APIs, blockchain technology, open banking and cloud computing never existed in the past. This

•

has necessitated IT risk functions to understand the impact of these new dimensions on the business operations and support them with adequate risk remediation strategies. Customer data will be required to be shared and used for driving better services and outcomes, however, it will present some challenges for data protection and data privacy. Controls transformation: There is a need for control design and testing activities to shift more at the start of the technology build stage, rather than waiting for an annual cycle of controls testing or validation. This needs to be supported with an increased focus on preventative, automated and real time controls, to reduce manual intervention and bring efficiencies. To detect incidents and issues as they occur, traditional detective controls are not sufficient, considering the speed at which data is created, accessed, shared and processed. Define automation strategy: Use of robotics software for control testing is becoming a common occurrence, hence a need for IT risk functions to align their own automation strategy to gain efficiency of resources and time. This will assist the function to reduce ‘risk administration’ burden. Re-define talent strategy: There is always a challenge to find suitably talented people in the space of IT risk management, who appreciate and understand the role of proactive risk management. With the new landscape, there is a need for an IT risk professional to be upskilled and broaden their thinking for cyber, technology, digital, operational and business risk to be able to identify, assess and remediate complex issues.

Harness the opportunity With the challenges, emerge opportunities that can assist organisations to streamline the inefficiencies in the existing control environment and structure. Organisations can take this as a way forward, to structure their ongoing control remediation programs that are better suited to meet the requirements of emerging future technologies. This can not only assist them with a more efficient control environment, end-to-end visibility over process and control gaps, but also leverage the cost efficiencies automation can provide. The IT risk management landscape needs to shift left and begin to get involved from the start, rather than leaving it at the end to manage residual risks. Acting now to address the drivers and considerations will enable the IT risk function to play a leading and value adding role in shaping the way in which technology drives the future. About the author Ridhi has more than 12 years of experience in delivering projects relating to cyber security, IT governance & risk management and ICT standards and operations. She has expertise in leadership for areas of process improvement, large scale ICT procurement and operations, cyber security transformation, project and program management, and security strategy definition and roadmap. Ridhi is helping clients with their technology and digital risk in Australia.

Australian Cyber Security Magazine | 79

Cyber Security

The power of the group in cybercriminal activities

P by Kylie Watson

eople carry out cyberattacks and exploit system vulnerabilities for a range of reasons, and the playing field is increasingly changing. According to Kaspersky labs, in 2016 alone, there were approximately 758 million cyberattacks – that’s an average of one attack every 40 seconds. Numerous other hacks have happened in the past decade. The most publicised of these include the Yahoo breach, where hackers leaked user information relating to 500 million clients, and the WannaCry ransomware outbreak that downed systems all over the world, causing global panic and service disruption in energy, healthcare and transport organisations. But who are the people behind these cyberattacks? What motivates people to commit cybercrime? There are a range of different cyber terrorists, hacktivists, state-sponsored actors and common cybercriminals in the world, and there are different motivations for their behaviour. Someone may be lashing out at an organisation that they feel has treated them unfairly. A hacktivist may be standing up for a cause they believe in. A state-sponsored hacker could be motivated by money, patriotism, or a feeling of cultural superiority. A cybercriminal may be motivated by possible financial gain, bragging rights that come with a big hack, or simply

80 | Australian Cyber Security Magazine

mischievous intent in creating a disruption. The fact remains that whichever type a cybercrime activist is, they’re most likely to remain harmless and docile until they find other people who share the same view and cause. That’s where the chaos starts; the power of the group. Most cyberattacks are carried out by groups. However, individuals make up groups and it’s useful to explore their motivations to carry out the devastating attacks that they propagate. Group mentality plays a huge role in influencing individual members to hack for a cause. Anonymous is one of the greatest hacking groups of our time. This group of vigilante hackers have taken it upon themselves to be the role of Guardians of Freedom of Information. They are responsible for some of the most publicised hacks of the past two decades. Their Guy Fawkes masks are immediately recognisable and the wearing of them is a smart psychological push for anyone to commit a crime. The mask ensures that they remain anonymous when carrying out any activities on behalf of the group. It also gives a sense of ownership. It makes an individual feel like they belong to an entity that is bigger than themselves, a much more powerful force that can protect them. This assuaging characteristic is one of the

Cyber Security

reasons why Anonymous is so successful. We are Legion is a 2012 revelatory documentary based on Anonymous with interviews of individuals in the group who had participated in previous hacks. Most of the people interviewed admitted that they would not have dared do what they did had they been alone and admitted that they felt a sense of belonging in their ties to the group. In some instances, individuals appear to have been coerced or manipulated into participating in online activities by groups without an accurate understanding of the consequence of their actions or the risk of criminalisation (Olson, 2012). More research needs to be undertaken, but it appears that cyberattack groups have similarities to traditional street gang behaviours. They are often driven by charismatic leadership, where individuals are seeking a sense of belonging, or validation, and the leader is effective in addressing these needs. A critical aspect of gang formation coincides with the notion that followers are committed to the organisation and to a purpose or principle (Kelly, 1988). This aligns to the more informal group behaviour of cybercriminals as they revolve around a shared desire to create mischief for a gain. Both gang and cyberattack team leaders are often able to draw in members who feel

In somе instancеs, individuals appеar to havе bееn coеrcеd or manipulatеd into participating in onlinе activitiеs by groups without an accuratе undеrstanding of thе consеquеncе of thеir actions or thе risk of criminalisation (Olson, 2012). alienated from society. For gang or cybercriminal team members, affiliation provides a source of empowerment and fosters their personal ideals of achievement. Although the concept of a street gang conjures up very different images to that of a cybercriminal team, the influences of leadership and membership are not dissimilar. For most cyberattacks, perhaps with the exception of state-based crime, the prospect of bragging rights within a group is another great motivator and a key ingredient in keeping a tight-knit group of cybercriminals. A big

Australian Cyber Security Magazine | 81

Cyber Security - Sponsored by Micro Focus

successful hack elevates the status of the members of the team among their peers. For people who, in real life, receive little acknowledgement, prospective online celebrity status can be a big allure. Each hacker in a team contains a specific skillset that makes them a key part of a specific hack. They are all important in the accomplishment of the hack and therefore the authority figure in the group, or even other members themselves, help keep each other motivated. By the time they’ve committed a security breach or possibly caused the breakdown of a national infrastructure, it’s far too late for them to turn back. By retrospectively applying psychological research to people’s behaviour and looking at the pre-determineed factors that can cause digressional behavior, we can get a better idea of the tendencies and traits that can lead an individual to commit a cyber-crime. It’s not a myth that for many cyber criminals, there may be an inherent social disposition or asocial personality disorder, that leads them to behave in unpredictable and aggressive ways. This is similar to the alienation that may occur with a traditional street gang member feeling disassociated from society. In addition, according to a study from Buckels in 2014, online trolls exhibit personality traits such as sadism and psychopathy, exhibiting enjoyment for the harm they are causing online. It would be interesting to explore the correlation of this with the most violent and sadistic criminal members of a traditional street gang. Despite the intrinsically psychological and sociological nature of many cybersecurity attacks, research into behaviours in cybersecurity is still limited. Indeed, even research into social engineering is often conducted from the discipline of computing, rather than social psychology or sociology. There is a growing need to prevent and mitigate the impact of cybersecurity incidents, and this has been the focus of the majority of psychological research to date. But, we also need a clearer understanding of what motivates people to engage in cybercrime (particularly in cases of hacktivism and online protest, where adversaries place themselves at risk of prosecution). Attempts to dissuade people (especially young adults) from becoming involved in hacktivism and cybercrime by instructing them they should not do so, seem destined to fail. As experienced across a range of health and social behaviors, such direct and blatant attempts to change behaviour, can easily result in a reactive response, in which an individual or group resent the perception that their choices are being removed from them. In some cases the individual may adopt an attitude contrary to that which they feel is being pushed upon them, in a process known as negative attitude change (Fuegen & Brehm, 2004). It may be helpful to apply learnings from successful programs that have deterred people from joining street gangs, to the issue of cybercriminal activity, although the global nature of cybercrime makes it quite a daunting task. The role of protecting vast information resources that is tasked upon cyber security teams is increasingly complex. As the internet and digital technologies become increasingly pervasive in our lives, it is important that we dedicate more time and energy into psychological and sociological studies to gain better insights into the

82 | Australian Cyber Security Magazine

behaviours and motivations of cybercrime activists, through dedicated research on the role of individuals and their role in the group. About the author “Kylie is a Major Firm Partner (and a Sociologist) with extensive experience in both public sector and commercial with a focus on business intelligence, technology analytics and behavioural analytics. She has led teams across Australia, New Zealand, South Africa, Thailand, Singapore, Malaysia, Japan and Korea to assist clients with business intelligence road maps, data warehouse implementation and mining, data visualisation, business transformation, change management, behavioural economics and automation intervention points. She is an award winning innovation specialist with a black belt in design thinking and business model innovation. Kylie has co-authored academic papers on predictive analytics and nudge theory and is a recognised thought leader invited to give keynotes on new technologies globally. Her experience ideally places her to work with clients on analytics, behavioural interventions into automated processes, design thinking and business intelligence and reporting.” Sources Ablon, L. (2018). Data Thieves: The Motivations of Cyber Threat Actors and Their Use and Monetization of Stolen Data. doi:10.7249/ct490 Bisson, D. (2018, July 2). 5 Social Engineering Attacks to Watch Out For. Retrieved from https://www.tripwire.com/ state-of-security/security-awareness/5-social-engineeringattacks-to-watch-out-for/ Center for Strategic and International Studies. (2019). Significant Cyber Incidents | Center for Strategic and International Studies. Retrieved from https://www.csis.org/ programs/cybersecurity-and-governance/technology-policyprogram/other-projects-cybersecurity Knappenberger, B. (Director). (2012). We Are Legion: The Story Of The Hacktivists [Motion picture]. USA. Knowles, E. S., Nolan, J. M., & Riner, D. D. (n.d.). Resisting Persuasion. Encyclopedia of Social Psychology. doi:10.4135/9781412956253.n450

Advocacy. Community. Integrity. Join the Australian Institute of Professional Intelligence Officers today

Intelligence can provide exciting career pathways across many different agencies and sectors — but isn’t it good to know you’re part of a bigger national and global community? The Australian Institute of Professional Intelligence Officers (AIPIO) provides this community, together with a wide range of membership benefits. Our membership is drawn from a diverse range of intelligence domains, including:

NATIONAL SECURITY

DEFENCE

LAW ENFORCEMENT

REGULATION

BUSINESS

ACADEMIA

BANKING & FINANCE

INTEGRITY COMMISSIONS

As the peak professional body for intelligence professionals, AIPIO is committed to: Connecting members across intelligence communities and encouraging cross-domain collaboration Sharing cutting edge and emerging global intelligence practices and enabling technologies Supporting and representing intelligence professionals throughout their career lifetime Encouraging cross-domain collaboration on broad intelligence topics such as cyber and big data

Do something positive for yourself and your career – join AIPIO today.

aipio.asn.au

Australian Cyber Security Magazine | 83

Cyber Security

Penetrating real-time threat behaviour: Cyber analytics and the pen tester

I By Dr. Brigitte Lewis

t’s the wild, wild, west out there in cyberspace, except the feral camels that once roamed Texas are the hackers, and they’re roaming beyond borders and through firewalls on the daily. At present, cyber threat intelligence gathering is a mish-mash of intrusion detection system logs, port scans, IP addresses, information sharing platforms, Twitter feeds and traditional write-ups. There is no one consistent language used across these platforms to refer to attacks, techniques or procedures and there’s no one single source of data. Much like post-truth America, you’ve got to look in all the right places to piece together the whole story and even then it’s hard to know if you’ve put the puzzle together the way it was intended. What this means is while there’s massive complexity when trying to understand the path an attacker has taken, it also means that there’s huge potential when it comes to leveraging the data or bits (pun intended) of evidence a hacker leaves behind.

Information Gathering and the Penetration Tester

and true ways to compromise a system or application. They might listen to a few podcasts, keep an eye on social media, follow a hacking news website and sign up to a mailing list, but all of this is hugely labour intensive and no one person has the hours in the day to keep on top of, let alone be well versed in, all the latest attacks. The dream, of course, is to have a program or Artificial Intelligence learn the tactics, techniques and procedures of hackers out in the wild, bring it all back into a nice table where all the data is the same data type, turn into a visualisation with a gorgeous dashboard and then teach the team new attacks on the fly as they happen in real-time. This, dream, as wondrous as it sounds, is hanging above the Magic Faraway Tree and yet to be written down and sold as a four set gold embossed collection. What we do have, and I’m focusing here on open source data and software, are many tools and data sets that can bring us just that little bit closer to a rousing monologue that could change the history of how we prevent cyberattacks in the future.

Big Data Big Complexity Penetration testers, who are my focus here, do much of their work when it comes to figuring out attack paths and new ways to penetrate, based on historical data or tried

84 | Australian Cyber Security Magazine

For data analysts, one of the problems with data on the internet is that it comes in many forms, with many definitions

Cyber Security

MISP itself is an interesting platform with the public instance of it boasting more than 1000 organisational users from the across the globe, including the big players like Google, Apple, and our own Federal Police. story, human research, interpretation and reasoning is needed, along with further data and frameworks in order to be able to map or make sense, of what actually happened blow by blow. Therefore, mapping attacks is where MITRE’s ATT&CK Framework comes in. ATT&CK describes why an action was performed and the technique used to do it, which is often missing in publicly released reports or writeups that gloss over the specifics of an attack. MITRE have even produced a STIX version of ATT&CK so you can output the data in a standardised format.

So Many Data Types So Little Time

and no one universal dictionary to look-up in order to know for sure what a word or a phrase means. Structured Threat Information Expression or STIX, which created by the United States Department of Homeland Security) and is used here in Australia by our own Cyber Security Centre, was created to address this issue. It’s useful in order to try and start standardising the way we talk about cyber threat intelligence so that we are all in fact, having the same conversation, in the same language. Some platforms, like MISP which is a Malware Information Sharing Platform created by Christophe Vandeplas who was working for the Belgian Defence Department at the time, allows users to export the Indicators of Compromise (IOC) that they and others share on the platform in the STIX format. This actively aids the development of a threat intelligence language so that we may use it to talk back to one another and share with the various systems we all use. MISP itself is an interesting platform with the public instance of it boasting more than 1000 organisational users from the across the globe, including the big players like Google, Apple, and our own Federal Police. It’s great at gathering threat feeds that are readily usable for other machines to digest but like every feed I’ve found to date, it tells only one part of the story of an attack or attempted attack. To tell the whole

Using a common language is not the only challenge when it comes to data mining threat intel because when you’re out in the wild looking for feeds that deliver indicators of compromise or information, not all data is created equal. You’ll find XML, JSON, JavaScript, images and if you’re lucky, APIs to query data in a more programmatic way. At this point you’ll need a good grasp of either Python or R to make HTTP requests to get the data like you would if you’re looking up a regular web address, and then you’ll sometimes find purpose built libraries which are often built in Python. So depending on your language preference, R for beauty and simplicity or Python for a more smash and grab approach, both are good to have in your tool belt. Once you’ve pulled the data from various feeds and platforms, you’ll then notice that you’ll have to transform it into something much easier to work with, than JSON key-value pairs which is where data frames come in. Each data set will have particular information that doesn’t always match information in other data sets so cleaning the data is a crucial activity too. After this, you’ll then need to push it to an unstructured database of your choice. Then and only then, can the magic happen. The magic being a genius, yet simple way to collate masses of data and turn it into easy to digest threat intel, served with a side of sweet visualisation and predictive analytics in the making. The future of cyber analytics is now and I am excitedly working towards making the internet a more hospitable place. I would love to hear from you if you are too. About the author Brigitte Lewis works as a Penetration Tester and Data Analyst. She has a PhD in Sociology and a passion for wicked problems, cyber security research, using data analytics for social change and #parkhangs. Follow her on Twitter @briglewis or check out her website, brigittelewis.com.

Australian Cyber Security Magazine | 85

Crystal Eye UTM Series 10 Gateway

Illumio Adaptive Security Platform

Enterprise to SMB/Home Office Solutions - Crystal Eye Series 10 - 200

Enterprise Solution

10% Discount off RRP to Marketplace Users:

The Illumio Adaptive Security Platform® (ASP) secures the inside of any data center and cloud – running any form of compute – with micro-segmentation enabled by application dependency and vulnerability maps.

Crystal Eye Deployed Device that is a Unified Threat Management (UTM) next-generation firewall (ngfw) software/hardware solution for your enterprise or home office, protecting it from a variety of threats and risks through a range of integrated services.

Predictions 2019: Cyber Security Key Trends

The Cyber Breach Communication Playbook

Over 2018 the Huntsman team has seen a number of trends develop which may impact your organisation’s operation and exposure to risk; we’ve created a White Paper Predictions 2019 – Looking forward to next year in cyber security to share these with you.

HUNTSMAN SECURITY CYBER SECURITY PREDICTIONS 2019

86 | Australian Cyber Security Magazine

The Cyber Breach Communications Playbook is set out in a straight-forward, easy to understand format that delivers on equipping Boards with a rapid and competent decision making guideline – “asking the right questions is 80% of getting the right solution.”

LISTEN TO OUR AUTHOR PODCAST

Out Now!

Cyber Security

Print Post Approved PP100003227

THE COUNTRY’S LEADING GOVERNMENT AND CORPORATE SECURITY MAGAZINE | www.australiansecuritymagazine.com.au Oct – Dec 2018

THE MAGAZINE FOR AUSTRALIAN INFORMATION SECURITY PROFESSIONALS | www.australiancybersecuritymagazine.com.au @AustCyberSecMag Issue 3, 2017

The active directory botnet

Mandatory Breach Notifications and the GDPR Effect

Cyber insurance: A buyer’s guide Part 2

Machine Learning in Cyber Security

Many modes of supply chain attacks The dawn of the digital Manager

Biological Protection-In-Depth

Australian-made FLAIM Trainer

How to minimise roulette wheel motion blur

The rise of hashgraph

Cyber Risk Meetup - Wrap-ups & Launches

A cyber week in London – Part 2

Know your enemy : Part 2

Honeycutt Social Engineering

Interview with ANZ's Security Team

WA’s Capture the Flag Competition

India’s Supreme Court reins in citizen profiling

$8.95 INC. GST

Resilient organisations begin with resilient people

Migrating to IP video SURVEILLANCE PLUS

Techtime

THE REGION’S LEADING GOVERNMENT AND CORPORATE SECURITY MAGAZINE | www.asiapacificsecuritymagazine.com Nov/Dec 2018

- PLUS -

Many modes of supply chain attacks

D I V E R S I T Y F E AT U R E S

India’s Supreme Court reins in citizen profiling

Gender Minorities within STEM | Bridging the Gender Gap | Seeking diversity in Cybersecurity The dawn of the digital Manager

Biological Protection-In-Depth

Australian-made FLAIM Trainer

How to minimise roulette wheel motion blur

Print Post Approved PP100003227

The rise of hashgraph

Cyber Risk Meetup - Wrap-ups & Launches

A cyber week in London – Part 2 THE COUNTRY’S LEADING GOVERNMENT AND CORPORATE SECURITY MAGAZINE | www.australiansecuritymagazine.com.au Aug/Sep 2017

Women IN

SECURITY

$8.95 INC. GST

Resilient organisations begin with resilient people

ROBOTICS GROWTH & OPPORTUNITIES

PLUS

Techtime

DRONES, ROBOTICS, AUTOMATION, SPACE, TECHNOLOGY, INTELLIGENCE, COMMUNICATIONS | www.drasticnews.com

ISSUE #1 2019

A New Race: Robotics, Artificial Intelligence & Human Convergence

The RoboCop Continuum

The rise of autonomous vehicles

Cyber data protection in Formula 1

SPECIAL FEATURE

The Security implications of driverless vehicles

Plus Techtime!

Australian Cyber Security Magazine | 87

Cyber Security

ENGAGING CO-CREATION TO PREPARE FOR FUTURE SECURITY THREATS 2 - 4 July 2019 Sands Expo & Convention Centre

•

Singapore

www.interpol-world.com

Global Safety Today • Improving Security for Tomorrow • Forecasting and Planning for the Future

INTERPOL World is a global co-creation opportunity which engages the public and private sectors in dialogue and fosters collaboration to counter future security and policing challenges. 30 strategic Co-creation Labs to discuss the challenges and solutions for combating the crimes of the future Exhibition that serves as a business and networking event for 250 manufacturers, distributors, and Research and Development organizations to offer innovative products and cutting-edge technologies

EVENT OWNER

SUPPORTED BY

88 | Australian Cyber Security Magazine

INTERPOL Working Groups (by invitation only) including the chief innovation officers group, artificial intelligence, drones and the Darknet and cryptocurrency group

INDUSTRY INSIGHTS BY

visitor@interpol-world.com

HELD IN

MANAGED BY

Australian Cyber Security Magazine, ISSUE 7, 2019

Articles inside

#IWD2019 ALL Women Special Edition